From 00c37387dbff2e3de2d9fe1791079b469a67f9f5 Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Fri, 2 Jan 2026 21:20:05 -0800
Subject: [PATCH] refactor(sts): add explicit zero-time expiration handling

Improved defensive programming in IsExpired() methods:

1. Credentials.IsExpired():
   - Added explicit check for zero-time expiration (time.Time{})
   - Treats uninitialized credentials as expired
   - Prevents accidentally treating uninitialized creds as valid

2. SessionInfo.IsExpired():
   - Added same explicit zero-time check
   - Treats uninitialized sessions as expired
   - Protects against bugs where sessions might not be properly initialized

This is important because time.Now().After(time.Time{}) returns true,
but explicitly checking for zero time makes the intent clear and helps
catch initialization bugs during code review and debugging.
---
 weed/iam/sts/session_helpers.go | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/weed/iam/sts/session_helpers.go b/weed/iam/sts/session_helpers.go
index e13d1297d..64abc23d4 100644
--- a/weed/iam/sts/session_helpers.go
+++ b/weed/iam/sts/session_helpers.go
@@ -7,6 +7,11 @@ func (c *Credentials) IsExpired() bool {
 	if c == nil {
 		return true
 	}
+	// Treat zero-time expiration as expired (uninitialized credentials)
+	// This prevents treating uninitialized credentials as valid
+	if c.Expiration.IsZero() {
+		return true
+	}
 	return time.Now().After(c.Expiration)
 }
 
@@ -16,5 +21,9 @@ func (s *SessionInfo) IsExpired() bool {
 	if s == nil {
 		return true
 	}
+	// Treat zero-time expiration as expired (uninitialized session)
+	if s.ExpiresAt.IsZero() {
+		return true
+	}
 	return time.Now().After(s.ExpiresAt)
 }