From 25647341b68462b19c0272b1dd024ef5e8f74c30 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Fri, 14 Oct 2011 14:45:56 -0600
Subject: [PATCH] properly set assertion expiration to when they expire, not
 the current time.  closes #433

---
 browserid/static/dialog/resources/user.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/browserid/static/dialog/resources/user.js b/browserid/static/dialog/resources/user.js
index 468c0519b..41ef20573 100644
--- a/browserid/static/dialog/resources/user.js
+++ b/browserid/static/dialog/resources/user.js
@@ -535,7 +535,9 @@ BrowserID.User = (function() {
         function createAssertion(idInfo) {
           network.serverTime(function(serverTime) {
             var sk = jwk.SecretKey.fromSimpleObject(idInfo.priv);
-            var tok = new jwt.JWT(null, serverTime, origin);
+            // assertions are valid for 2 minutes
+            var expiration = serverTime + (2 * 60 * 1000);
+            var tok = new jwt.JWT(null, expiration, origin);
             assertion = vep.bundleCertsAndAssertion([idInfo.cert], tok.sign(sk));
             if (onSuccess) {
               onSuccess(assertion);
-- 
GitLab