From fb67912238ed9d2fd6e3509df537456f2f3e13ce Mon Sep 17 00:00:00 2001 From: Felix Ableitner Date: Wed, 21 Jun 2023 22:00:22 +0200 Subject: [PATCH] Increase HTTP signature expiration time to one day (fixes #46) --- src/http_signatures.rs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/http_signatures.rs b/src/http_signatures.rs index dc2bc23..fe7273b 100644 --- a/src/http_signatures.rs +++ b/src/http_signatures.rs @@ -67,9 +67,12 @@ pub fn generate_actor_keypair() -> Result { }) } -/// Sets the amount of time that a signed request is valid. Currenlty 5 minutes -/// Mastodon & friends have ~1 hour expiry from creation if it's not set in the header -pub(crate) const EXPIRES_AFTER: Duration = Duration::from_secs(300); +/// Time for which HTTP signatures are valid. +/// +/// This field is optional in the standard, but required by the Rust library. It is not clear +/// what security concerns this expiration solves (if any), so we set a very high value of one day +/// to avoid any potential problems due to wrong clocks, overloaded servers or delayed delivery. +pub(crate) const EXPIRES_AFTER: Duration = Duration::from_secs(24 * 60 * 60); /// Creates an HTTP post request to `inbox_url`, with the given `client` and `headers`, and /// `activity` as request body. The request is signed with `private_key` and then sent.