summary refs log tree commit diff
path: root/src
diff options
context:
space:
mode:
authorMadeline <46743919+MaddyUnderStars@users.noreply.github.com>2023-09-29 04:05:31 +0000
committerMadeline <46743919+MaddyUnderStars@users.noreply.github.com>2023-09-29 04:05:31 +0000
commit97b9184afdebcd5a15faeff97a81210264e08367 (patch)
tree426d3e630ed7edeb9ec92e767102e43cfbcb9fda /src
parentMove genericInboxHandler to own file (diff)
downloadserver-ts-97b9184afdebcd5a15faeff97a81210264e08367.tar.xz
Http signatures: fix missing quotes in sent header, add date check
Diffstat (limited to 'src')
-rw-r--r--src/activitypub/federation/HttpSig.ts10
1 files changed, 9 insertions, 1 deletions
diff --git a/src/activitypub/federation/HttpSig.ts b/src/activitypub/federation/HttpSig.ts

index 15eabffe..d05adcfe 100644 --- a/src/activitypub/federation/HttpSig.ts +++ b/src/activitypub/federation/HttpSig.ts
@@ -28,6 +28,14 @@ export class HttpSig { activity: APActivity, requestHeaders: IncomingHttpHeaders, ) { + const date = requestHeaders["date"]; + if ( + !date || + // Older than 1 day + Date.parse(date).valueOf() > Date.now() + 24 * 60 * 60 * 1000 + ) + throw new APError("Signature too old"); + const sigheader = requestHeaders["signature"]?.toString(); if (!sigheader) throw new APError("Missing signature"); const sigopts: { [key: string]: string | undefined } = Object.assign( @@ -115,7 +123,7 @@ export class HttpSig { const header = `keyId="https://${host}/federation/${sender.type}/${sender.actorId}",` + `headers="(request-target) host date digest",` + - `signature=${sig_b64}`; + `signature="${sig_b64}"`; return OrmUtils.mergeDeep({}, fetchOpts, { method: "POST",