From 97b9184afdebcd5a15faeff97a81210264e08367 Mon Sep 17 00:00:00 2001
From: Madeline <46743919+MaddyUnderStars@users.noreply.github.com>
Date: Fri, 29 Sep 2023 04:05:31 +0000
Subject: [PATCH] Http signatures: fix missing quotes in sent header, add date
 check

---
 src/activitypub/federation/HttpSig.ts | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/activitypub/federation/HttpSig.ts b/src/activitypub/federation/HttpSig.ts
index 15eabffe..d05adcfe 100644
--- a/src/activitypub/federation/HttpSig.ts
+++ b/src/activitypub/federation/HttpSig.ts
@@ -28,6 +28,14 @@ export class HttpSig {
 		activity: APActivity,
 		requestHeaders: IncomingHttpHeaders,
 	) {
+		const date = requestHeaders["date"];
+		if (
+			!date ||
+			// Older than 1 day
+			Date.parse(date).valueOf() > Date.now() + 24 * 60 * 60 * 1000
+		)
+			throw new APError("Signature too old");
+
 		const sigheader = requestHeaders["signature"]?.toString();
 		if (!sigheader) throw new APError("Missing signature");
 		const sigopts: { [key: string]: string | undefined } = Object.assign(
@@ -115,7 +123,7 @@ export class HttpSig {
 		const header =
 			`keyId="https://${host}/federation/${sender.type}/${sender.actorId}",` +
 			`headers="(request-target) host date digest",` +
-			`signature=${sig_b64}`;
+			`signature="${sig_b64}"`;
 
 		return OrmUtils.mergeDeep({}, fetchOpts, {
 			method: "POST",