To prevent replay attacks, you might want to assign an unique identifier to each token of some kind. If you have an expiration date, you could remember that this identifier has been seen, and forget about it as soon as the token expires. For this to work, you would need an expiration date for your single-use token: this is why we only support it for time-bound tokens, and the validity is reduced down to 2 minutes.
The base class for tokens which are intended to be decoded only once. The unique identifier string nonce will be remembered as long as the program is running and the token is not expired.
Similarly to the base token type, you can construct one by specifying its arguments, or create one from a pair of alists.
#:signing-keyis required to construct the base token;
#:validityis required to construct the time-bound token;
#:noncespecifies the unique identifier. It defaults to a random string of base64 data encoding 96 bits of entropy.
The main point of this class is to provide an even stricter token
validation function, that can only be run once for a given token (with
reasonable limits: if the program is killed, it won’t remember the
tokens from before). You can customize the current date by passing
#:current-date ... as keyword arguments to
just as you do for regular time-bound tokens.
... would be
replaced with a time or date.
When constructing token from an existing JWT, this method gives
the field name in the JWT payload that represents the nonce. DPoP
'jti, so they override this value.
Return the unique identifier of token, as a string.
If a token with the same nonce has already been decoded during its life time, this exception is raised with the duplicated nonce.
Construct an exception of type
Check whether exception was raised because a single-use token was already parsed.
Return the faulty nonce in exception.