fix(security): reject bearer tokens issued before project creation (#22900)

Vad1mo · web-flow · commit 89e1c4baa7e0 · 2026-03-05T08:48:54.000Z
Prevents authorization bypass when a project is deleted and recreated
with the same name. Compares token issued-at (iat) against the current
project's creation_time; tokens older than the project are rejected.

Signed-off-by: Vadim Bauer &lt;vb@container-registry.com&gt;
diff --git a/src/server/middleware/security/v2_token.go b/src/server/middleware/security/v2_token.go
@@ -15,6 +15,7 @@
 package security
 
 import (
+	"context"
 	"net/http"
 	"strings"
 
@@ -25,7 +26,9 @@ import (
 	"github.com/goharbor/harbor/src/common"
 	"github.com/goharbor/harbor/src/common/security"
 	"github.com/goharbor/harbor/src/common/security/v2token"
+	project_ctl "github.com/goharbor/harbor/src/controller/project"
 	svc_token "github.com/goharbor/harbor/src/core/service/token"
+	"github.com/goharbor/harbor/src/lib"
 	"github.com/goharbor/harbor/src/lib/log"
 	"github.com/goharbor/harbor/src/pkg/token"
 	v2 "github.com/goharbor/harbor/src/pkg/token/claims/v2"
@@ -69,5 +72,29 @@ func (vt *v2Token) Generate(req *http.Request) security.Context {
 		logger.Warningf("invalid token claims.")
 		return nil
 	}
+	if !tokenIssuedAfterProjectCreation(req.Context(), logger, claims) {
+		return nil
+	}
 	return v2token.New(req.Context(), claims.Subject, claims.Access)
 }
+
+// tokenIssuedAfterProjectCreation prevents tokens from a deleted project
+// granting access to a new project recreated with the same name.
+func tokenIssuedAfterProjectCreation(ctx context.Context, logger *log.Logger, claims *v2TokenClaims) bool {
+	info := lib.GetArtifactInfo(ctx)
+	if info.ProjectName == "" {
+		return true
+	}
+	p, err := project_ctl.Ctl.GetByName(ctx, info.ProjectName)
+	if err != nil {
+		logger.Warningf("failed to get project %q for token validation: %v", info.ProjectName, err)
+		return false
+	}
+	iat := claims.IssuedAt.Time
+	if iat.Add(common.JwtLeeway).Before(p.CreationTime) {
+		logger.Warningf("bearer token issued at %v is before project %q creation time %v, rejecting",
+			iat, info.ProjectName, p.CreationTime)
+		return false
+	}
+	return true
+}
diff --git a/src/server/middleware/security/v2_token_test.go b/src/server/middleware/security/v2_token_test.go
@@ -1,17 +1,27 @@
 package security
 
 import (
+	"context"
 	"fmt"
 	"net/http"
 	"testing"
+	"time"
 
 	registry_token "github.com/docker/distribution/registry/auth/token"
+	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	project_ctl "github.com/goharbor/harbor/src/controller/project"
 	"github.com/goharbor/harbor/src/core/service/token"
+	"github.com/goharbor/harbor/src/lib"
 	"github.com/goharbor/harbor/src/lib/config"
+	"github.com/goharbor/harbor/src/lib/log"
 	"github.com/goharbor/harbor/src/lib/orm"
+	proModels "github.com/goharbor/harbor/src/pkg/project/models"
+	v2 "github.com/goharbor/harbor/src/pkg/token/claims/v2"
+	projecttesting "github.com/goharbor/harbor/src/testing/controller/project"
+	"github.com/goharbor/harbor/src/testing/mock"
 )
 
 func TestGenerate(t *testing.T) {
@@ -34,3 +44,60 @@ func TestGenerate(t *testing.T) {
 	req4.Header.Set("Authorization", fmt.Sprintf("Bearer %s", mt2.Token))
 	assert.NotNil(t, vt.Generate(req4))
 }
+
+func makeClaimsWithIAT(iat time.Time) *v2TokenClaims {
+	return &v2TokenClaims{
+		Claims: v2.Claims{
+			RegisteredClaims: jwt.RegisteredClaims{
+				IssuedAt: jwt.NewNumericDate(iat),
+			},
+		},
+	}
+}
+
+func TestTokenIssuedAfterProjectCreation(t *testing.T) {
+	logger := log.DefaultLogger()
+	projectCreated := time.Date(2025, 1, 1, 0, 0, 0, 0, time.UTC)
+	before := time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC)
+	after := time.Date(2025, 6, 1, 0, 0, 0, 0, time.UTC)
+
+	proj := &proModels.Project{Name: "myproject", CreationTime: projectCreated}
+
+	tests := []struct {
+		name        string
+		projectName string
+		iat         time.Time
+		project     *proModels.Project
+		projErr     error
+		allowed     bool
+	}{
+		{"after creation - allowed", "myproject", after, proj, nil, true},
+		{"before creation - rejected", "myproject", before, proj, nil, false},
+		{"exact creation time - allowed", "myproject", projectCreated, proj, nil, true},
+		{"within leeway window - allowed", "myproject", projectCreated.Add(-30 * time.Second), proj, nil, true},
+		{"just outside leeway - rejected", "myproject", projectCreated.Add(-61 * time.Second), proj, nil, false},
+		{"no project in context - skipped", "", after, nil, nil, true},
+		{"project lookup error - rejected", "myproject", after, nil, fmt.Errorf("not found"), false},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			origCtl := project_ctl.Ctl
+			defer func() { project_ctl.Ctl = origCtl }()
+
+			mockCtl := &projecttesting.Controller{}
+			project_ctl.Ctl = mockCtl
+			if tt.project != nil || tt.projErr != nil {
+				mock.OnAnything(mockCtl, "GetByName").Return(tt.project, tt.projErr)
+			}
+
+			ctx := context.Background()
+			if tt.projectName != "" {
+				ctx = lib.WithArtifactInfo(ctx, lib.ArtifactInfo{ProjectName: tt.projectName})
+			}
+
+			result := tokenIssuedAfterProjectCreation(ctx, logger, makeClaimsWithIAT(tt.iat))
+			assert.Equal(t, tt.allowed, result)
+		})
+	}
+}
