1
0
mirror of https://github.com/spacebarchat/server.git synced 2024-11-26 04:03:03 +01:00

Http signatures: fix missing quotes in sent header, add date check

This commit is contained in:
Madeline 2023-09-29 04:05:31 +00:00
parent 95cabac3f0
commit 97b9184afd

View File

@ -28,6 +28,14 @@ export class HttpSig {
activity: APActivity, activity: APActivity,
requestHeaders: IncomingHttpHeaders, requestHeaders: IncomingHttpHeaders,
) { ) {
const date = requestHeaders["date"];
if (
!date ||
// Older than 1 day
Date.parse(date).valueOf() > Date.now() + 24 * 60 * 60 * 1000
)
throw new APError("Signature too old");
const sigheader = requestHeaders["signature"]?.toString(); const sigheader = requestHeaders["signature"]?.toString();
if (!sigheader) throw new APError("Missing signature"); if (!sigheader) throw new APError("Missing signature");
const sigopts: { [key: string]: string | undefined } = Object.assign( const sigopts: { [key: string]: string | undefined } = Object.assign(
@ -115,7 +123,7 @@ export class HttpSig {
const header = const header =
`keyId="https://${host}/federation/${sender.type}/${sender.actorId}",` + `keyId="https://${host}/federation/${sender.type}/${sender.actorId}",` +
`headers="(request-target) host date digest",` + `headers="(request-target) host date digest",` +
`signature=${sig_b64}`; `signature="${sig_b64}"`;
return OrmUtils.mergeDeep({}, fetchOpts, { return OrmUtils.mergeDeep({}, fetchOpts, {
method: "POST", method: "POST",