hamlab/mobilizon-frontend
2
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Validate Date header in HTTPSignatures

Browse Source 
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel
2020-02-14 09:22:17 +01:00
parent 66e1fae0b5
commit 3a753312c1
2 changed files with 65 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
lib/web/plugs/http_signatures.ex
View File

@@ -43,7 +43,8 @@ defmodule Mobilizon.Web.Plugs.HTTPSignatures do
signature_valid = HTTPSignatures.validate_conn(conn)
Logger.debug("Is signature valid ? #{inspect(signature_valid)}")
assign(conn, :valid_signature, signature_valid)
date_valid = date_valid?(conn)
assign(conn, :valid_signature, signature_valid && date_valid)
else
Logger.debug("No signature header!")
conn
@@ -53,4 +54,15 @@ defmodule Mobilizon.Web.Plugs.HTTPSignatures do
conn
end
end
@spec date_valid?(Plug.Conn.t()) :: boolean()
defp date_valid?(conn) do
with [date | _] <- get_req_header(conn, "date") || [""],
{:ok, date} <- Timex.parse(date, "{WDshort}, {0D} {Mshort} {YYYY} {h24}:{m}:{s} GMT") do
Timex.diff(date, DateTime.utc_now(), :hours) <= 12 &&
Timex.diff(date, DateTime.utc_now(), :hours) >= -12
else
_ -> false
end
end
end