Http signatures: fix missing quotes in sent header, add date check

2024-11-22 10:22:39 +01:00 · 2023-09-29 04:05:31 +00:00 · 2023-09-29 04:05:31 +00:00 · 97b9184afd
commit 97b9184afd
parent 95cabac3f0
1 changed files with 9 additions and 1 deletions
--- a/src/activitypub/federation/HttpSig.ts
+++ b/src/activitypub/federation/HttpSig.ts
@ -28,6 +28,14 @@ export class HttpSig {
 		activity: APActivity,
 		requestHeaders: IncomingHttpHeaders,
 	) {
+		const date = requestHeaders["date"];
+		if (
+			!date ||
+			// Older than 1 day
+			Date.parse(date).valueOf() > Date.now() + 24 * 60 * 60 * 1000
+		)
+			throw new APError("Signature too old");
+
 		const sigheader = requestHeaders["signature"]?.toString();
 		if (!sigheader) throw new APError("Missing signature");
 		const sigopts: { [key: string]: string | undefined } = Object.assign(
@ -115,7 +123,7 @@ export class HttpSig {
 		const header =
 			`keyId="https://${host}/federation/${sender.type}/${sender.actorId}",` +
 			`headers="(request-target) host date digest",` +
-			`signature=${sig_b64}`;
+			`signature="${sig_b64}"`;

 		return OrmUtils.mergeDeep({}, fetchOpts, {
 			method: "POST",