1 files changed, 29 insertions, 7 deletions

diff --git a/src/backend/taler-merchant-httpd_post-orders-ID-pay.c b/src/backend/taler-merchant-httpd_post-orders-ID-pay.c
index 4160230d..f69d163e 100644
--- a/src/backend/taler-merchant-httpd_post-orders-ID-pay.c
+++ b/src/backend/taler-merchant-httpd_post-orders-ID-pay.c
@@ -2082,14 +2082,14 @@ phase_execute_pay_transaction (struct PayContext *pc)
                                            "insert used token"));
       return;
     }
-    else if (0 == qs)
+    else if (GNUNET_DB_STATUS_SUCCESS_NO_RESULTS == qs)
     {
-      /* UNIQUE constreaint violation --> Token already used. */
+      /* UNIQUE constraint violation, meaining this token was already used. */
       pay_end (pc,
                TALER_MHD_reply_with_error (pc->connection,
                                            MHD_HTTP_CONFLICT,
                                            TALER_EC_MERCHANT_POST_ORDERS_ID_PAY_TOKEN_INVALID,
-                                           "tokens"));
+                                           NULL));
       return;
     }
   }
@@ -2468,10 +2468,11 @@ phase_validate_tokens (struct PayContext *pc)
     selected = pc->choices[pc->choice_index];
 
     /* 1. Iterate over inputs of selected choice:
-          1.1. Get public key for each input lookup_token_key (slug, valid_after).
-          1.2. Iterate over provided tokens and check if required number with matching h_issue are present.
-          1.3. Validate ub_sig with the issue public key, validate token_sig using the token_pub key of the request.
-          1.4. Sum up validated tokens and check if validated_len == tokens_cnt after loop. */
+          1.1. Get key for each input.
+          1.2. Check if token signed by this key are valid at the current time.
+          1.3. Iterate over provided tokens and check if required number with matching h_issue are present.
+          1.4. Validate ub_sig with the issue public key, validate token_sig using the token_pub key of the request.
+          1.5. Sum up validated tokens and check if validated_len == tokens_cnt after loop. */
     for (unsigned int i = 0; i<selected.inputs_len; i++)
     {
       struct TALER_MerchantContractInput input = selected.inputs[i];
@@ -2484,6 +2485,7 @@ phase_validate_tokens (struct PayContext *pc)
         continue;
       }
 
+      /* TODO: Replace this with ordering convention. */
       if (GNUNET_OK != TMH_find_token_family_key (input.details.token.token_family_slug,
                                                   input.details.token.valid_after,
                                                   pc->token_families,
@@ -2502,6 +2504,26 @@ phase_validate_tokens (struct PayContext *pc)
         return;
       }
 
+      struct GNUNET_TIME_Timestamp now = GNUNET_TIME_timestamp_get ();
+
+      /* Ensure tokens signed by this key are valid at the current time. */
+      if (GNUNET_TIME_timestamp_cmp (key.valid_after, >, now) ||
+          GNUNET_TIME_timestamp_cmp (key.valid_before, <=, now))
+      {
+        GNUNET_log (GNUNET_ERROR_TYPE_WARNING,
+                    "Token family key validity period from %s to %s "
+                    "is not valid at the current time\n",
+                    GNUNET_TIME_timestamp2s (key.valid_after),
+                    GNUNET_TIME_timestamp2s (key.valid_before));
+        GNUNET_break (0);
+        pay_end (pc,
+                 TALER_MHD_reply_with_error (pc->connection,
+                                             MHD_HTTP_CONFLICT,
+                                             TALER_EC_MERCHANT_POST_ORDERS_ID_PAY_TOKEN_INVALID,
+                                             NULL));
+        return;
+      }
+
       if (GNUNET_NO == find_valid_input_tokens (pc,
                                                 &key,
                                                 input.details.token.count))