Increase HTTP signature expiration time to one day (fixes #46) (#47)

This commit is contained in:
Nutomic 2023-06-22 09:20:57 +02:00 committed by GitHub
parent 8f997ec340
commit 3d9d54cf09
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -67,9 +67,12 @@ pub fn generate_actor_keypair() -> Result<Keypair, std::io::Error> {
})
}
/// Sets the amount of time that a signed request is valid. Currenlty 5 minutes
/// Mastodon & friends have ~1 hour expiry from creation if it's not set in the header
pub(crate) const EXPIRES_AFTER: Duration = Duration::from_secs(300);
/// Time for which HTTP signatures are valid.
///
/// This field is optional in the standard, but required by the Rust library. It is not clear
/// what security concerns this expiration solves (if any), so we set a very high value of one day
/// to avoid any potential problems due to wrong clocks, overloaded servers or delayed delivery.
pub(crate) const EXPIRES_AFTER: Duration = Duration::from_secs(24 * 60 * 60);
/// Creates an HTTP post request to `inbox_url`, with the given `client` and `headers`, and
/// `activity` as request body. The request is signed with `private_key` and then sent.