diff --git a/src/http_signatures.rs b/src/http_signatures.rs index fe7273b..19cf319 100644 --- a/src/http_signatures.rs +++ b/src/http_signatures.rs @@ -70,9 +70,9 @@ pub fn generate_actor_keypair() -> Result { /// Time for which HTTP signatures are valid. /// /// This field is optional in the standard, but required by the Rust library. It is not clear -/// what security concerns this expiration solves (if any), so we set a very high value of one day +/// what security concerns this expiration solves (if any), so we set a very high value of one hour /// to avoid any potential problems due to wrong clocks, overloaded servers or delayed delivery. -pub(crate) const EXPIRES_AFTER: Duration = Duration::from_secs(24 * 60 * 60); +pub(crate) const EXPIRES_AFTER: Duration = Duration::from_secs(60 * 60); /// Creates an HTTP post request to `inbox_url`, with the given `client` and `headers`, and /// `activity` as request body. The request is signed with `private_key` and then sent. @@ -111,9 +111,6 @@ pub(crate) async fn sign_request( .await } -static CONFIG2: Lazy = - Lazy::new(http_signature_normalization::Config::new); - /// Verifies the HTTP signature on an incoming federation request /// for a given actor's public key. /// @@ -188,9 +185,12 @@ fn verify_signature_inner( uri: &Uri, public_key: &str, ) -> Result<(), Error> { + static CONFIG: Lazy = + Lazy::new(|| http_signature_normalization::Config::new().set_expiration(EXPIRES_AFTER)); + let path_and_query = uri.path_and_query().map(PathAndQuery::as_str).unwrap_or(""); - let verified = CONFIG2 + let verified = CONFIG .begin_verify(method.as_str(), path_and_query, header_map) .map_err(Error::other)? .verify(|signature, signing_string| -> anyhow::Result {