From de29780321a13b853abd17ec977c296f1147dcab Mon Sep 17 00:00:00 2001
From: Laura Hausmann <laura@hausmann.dev>
Date: Wed, 30 Oct 2024 18:06:06 +0100
Subject: [PATCH] [backend/federation] Don't recompute clock skew timespan on
 every invocation in HttpSignature.VerifyAsync

This commit also tightens the maximum allowed clock skew to a much more reasonable 5 minutes.
---
 .../Core/Federation/Cryptography/HttpSignature.cs           | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/Iceshrimp.Backend/Core/Federation/Cryptography/HttpSignature.cs b/Iceshrimp.Backend/Core/Federation/Cryptography/HttpSignature.cs
index 05e91326..4b053281 100644
--- a/Iceshrimp.Backend/Core/Federation/Cryptography/HttpSignature.cs
+++ b/Iceshrimp.Backend/Core/Federation/Cryptography/HttpSignature.cs
@@ -10,6 +10,8 @@ namespace Iceshrimp.Backend.Core.Federation.Cryptography;
 
 public static class HttpSignature
 {
+	public static readonly TimeSpan MaxClockSkew = TimeSpan.FromMinutes(5);
+
 	public static async Task<bool> VerifyAsync(
 		HttpRequest request, HttpSignatureHeader signature,
 		IEnumerable<string> requiredHeaders, string key
@@ -53,10 +55,10 @@ public static class HttpSignature
 		if (created == null && !datePresent)
 			throw new GracefulException(HttpStatusCode.Forbidden, "Neither date nor (created) are present, refusing");
 
-		var dateCheck = datePresent && DateTime.Now - DateTime.Parse(date!) > TimeSpan.FromHours(12);
+		var dateCheck = datePresent && DateTime.Now - DateTime.Parse(date!) > MaxClockSkew;
 		var createdCheck = created != null &&
 		                   DateTime.UtcNow - (DateTime.UnixEpoch + TimeSpan.FromSeconds(long.Parse(created))) >
-		                   TimeSpan.FromHours(12);
+		                   MaxClockSkew;
 
 		if (dateCheck || createdCheck)
 			throw new GracefulException(HttpStatusCode.Forbidden, "Request signature is too old");