Check auth before limit handler

2 files changed, 24 insertions, 4 deletions

diff --git a/auth/extract_test.go b/auth/extract_test.go
index 510fb1790..e002762b3 100644
--- a/auth/extract_test.go
+++ b/auth/extract_test.go
@@ -10,6 +10,16 @@ import (
 )
 
 func TestCheckTokenV2(t *testing.T) {
+	// the tests below had their hmac signatures generated with the default 30s
+	// in our tests, we modify this number with ldflags but this test should continue
+	// to use the 30s number
+
+	defer func(d time.Duration) {
+		timestampThresholdDuration = d
+	}(timestampThresholdDuration)
+
+	timestampThresholdDuration = 30 * time.Second
+
 	targetTime := time.Unix(1535671600, 0)
 	secret := []byte("foo")
 
diff --git a/auth/token.go b/auth/token.go
index dee53227c..12c11740c 100644
--- a/auth/token.go
+++ b/auth/token.go
@@ -16,11 +16,10 @@ import (
 	"google.golang.org/grpc/status"
 )
 
-const (
-	timestampThreshold = 30 * time.Second
-)
+var timestampThresholdDuration time.Duration
 
 var (
+	timestampThreshold = "30s"
 	errUnauthenticated = status.Errorf(codes.Unauthenticated, "authentication required")
 	errDenied          = status.Errorf(codes.PermissionDenied, "permission denied")
 
@@ -33,8 +32,19 @@ var (
 	)
 )
 
+// TimestampThreshold is used by tests
+func TimestampThreshold() time.Duration {
+	return timestampThresholdDuration
+}
+
 func init() {
 	prometheus.MustRegister(authErrors)
+
+	var err error
+	timestampThresholdDuration, err = time.ParseDuration(timestampThreshold)
+	if err != nil {
+		panic(err)
+	}
 }
 
 // AuthInfo contains the authentication information coming from a request
@@ -58,7 +68,7 @@ func CheckToken(ctx context.Context, secret string, targetTime time.Time) error
 	}
 
 	if authInfo.Version == "v2" {
-		if v2HmacInfoValid(authInfo.Message, authInfo.SignedMessage, []byte(secret), targetTime, timestampThreshold) {
+		if v2HmacInfoValid(authInfo.Message, authInfo.SignedMessage, []byte(secret), targetTime, timestampThresholdDuration) {
 			return nil
 		}
 	}