Validate Date header in HTTPSignatures
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
parent
66e1fae0b5
commit
3a753312c1
@ -43,7 +43,8 @@ defmodule Mobilizon.Web.Plugs.HTTPSignatures do
|
|||||||
|
|
||||||
signature_valid = HTTPSignatures.validate_conn(conn)
|
signature_valid = HTTPSignatures.validate_conn(conn)
|
||||||
Logger.debug("Is signature valid ? #{inspect(signature_valid)}")
|
Logger.debug("Is signature valid ? #{inspect(signature_valid)}")
|
||||||
assign(conn, :valid_signature, signature_valid)
|
date_valid = date_valid?(conn)
|
||||||
|
assign(conn, :valid_signature, signature_valid && date_valid)
|
||||||
else
|
else
|
||||||
Logger.debug("No signature header!")
|
Logger.debug("No signature header!")
|
||||||
conn
|
conn
|
||||||
@ -53,4 +54,15 @@ defmodule Mobilizon.Web.Plugs.HTTPSignatures do
|
|||||||
conn
|
conn
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@spec date_valid?(Plug.Conn.t()) :: boolean()
|
||||||
|
defp date_valid?(conn) do
|
||||||
|
with [date | _] <- get_req_header(conn, "date") || [""],
|
||||||
|
{:ok, date} <- Timex.parse(date, "{WDshort}, {0D} {Mshort} {YYYY} {h24}:{m}:{s} GMT") do
|
||||||
|
Timex.diff(date, DateTime.utc_now(), :hours) <= 12 &&
|
||||||
|
Timex.diff(date, DateTime.utc_now(), :hours) >= -12
|
||||||
|
else
|
||||||
|
_ -> false
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
52
test/web/plugs/http_signatures_test.exs
Normal file
52
test/web/plugs/http_signatures_test.exs
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
defmodule Mobilizon.Web.Plug.HTTPSignaturesTest do
|
||||||
|
use Mobilizon.Web.ConnCase
|
||||||
|
import Mock
|
||||||
|
|
||||||
|
alias Mobilizon.Federation.HTTPSignatures.Signature
|
||||||
|
alias Mobilizon.Web.Plugs.HTTPSignatures, as: HTTPSignaturesPlug
|
||||||
|
|
||||||
|
test "tests that date window is acceptable" do
|
||||||
|
date = NaiveDateTime.utc_now() |> Timex.shift(hours: -3) |> Signature.generate_date_header()
|
||||||
|
|
||||||
|
with_mock HTTPSignatures, validate_conn: fn _ -> true end do
|
||||||
|
conn =
|
||||||
|
build_conn()
|
||||||
|
|> put_req_header("signature", "signature")
|
||||||
|
|> put_req_header("date", date)
|
||||||
|
|> HTTPSignaturesPlug.call(%{})
|
||||||
|
|
||||||
|
assert called(HTTPSignatures.validate_conn(:_))
|
||||||
|
assert conn.assigns.valid_signature
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
test "tests that date window is not acceptable (already passed)" do
|
||||||
|
date = NaiveDateTime.utc_now() |> Timex.shift(hours: -30) |> Signature.generate_date_header()
|
||||||
|
|
||||||
|
with_mock HTTPSignatures, validate_conn: fn _ -> true end do
|
||||||
|
conn =
|
||||||
|
build_conn()
|
||||||
|
|> put_req_header("signature", "signature")
|
||||||
|
|> put_req_header("date", date)
|
||||||
|
|> HTTPSignaturesPlug.call(%{})
|
||||||
|
|
||||||
|
refute conn.assigns.valid_signature
|
||||||
|
assert called(HTTPSignatures.validate_conn(:_))
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
test "tests that date window is not acceptable (in the future)" do
|
||||||
|
date = NaiveDateTime.utc_now() |> Timex.shift(hours: 30) |> Signature.generate_date_header()
|
||||||
|
|
||||||
|
with_mock HTTPSignatures, validate_conn: fn _ -> true end do
|
||||||
|
conn =
|
||||||
|
build_conn()
|
||||||
|
|> put_req_header("signature", "signature")
|
||||||
|
|> put_req_header("date", date)
|
||||||
|
|> HTTPSignaturesPlug.call(%{})
|
||||||
|
|
||||||
|
refute conn.assigns.valid_signature
|
||||||
|
assert called(HTTPSignatures.validate_conn(:_))
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue
Block a user