Open Sean-Der opened 3 years ago
That's debatable.
RFC 8489 merely says "See Section 5.4 of [RFC7616] for guidelines.", while RFC 7616 says
the server is
free to construct the nonce such that it MAY only be used from a
particular client, for a particular resource, for a limited period of
time or number of uses, or any other restrictions. Doing so
strengthens the protection provided against, for example, replay
attacks (see Section 5.5). However, it should be noted that the
method chosen for generating and checking the nonce also has
performance and resource implications.
Update
buildNonce
andauthenticateRequest
to generate and check the times on those.