(use-modules (webid-oidc dpop-proof)
             (webid-oidc jti)
             (webid-oidc jwk)
             (webid-oidc testing)
             (webid-oidc errors)
             (web uri)
             (srfi srfi-19)
             (web response))

(with-test-environment
 "dpop-proof-iat-too-late"
 (lambda ()
   (define jwk (generate-key #:n-size 2048))
   (define cnf (jkt jwk))
   (define blacklist (make-jti-list))
   (define proof
     (issue-dpop-proof
      jwk
      #:alg 'RS256
      #:htm 'GET
      #:htu (string->uri "https://example.com/res#frag")
      #:iat (time-utc->date (make-time time-utc 0 0))))
   (with-exception-handler
       (lambda (error)
         (unless ((record-predicate &dpop-too-old)
                  ((record-accessor &cannot-decode-dpop-proof 'cause) error))
           (raise-exception error)))
     (lambda ()
       (dpop-proof-decode (time-utc->date (make-time time-utc 0 600))
                          blacklist
                          'GET
                          (string->uri "https://example.com/res?query")
                          proof
                          cnf)
       (exit 2))
     #:unwind? #t
     #:unwind-for-type &cannot-decode-dpop-proof)))