Merge pull request #917 from pixelfed/frontend-ui-refactor

Update FederationController
2019-03-01 16:19:18 -07:00 · 2019-03-01 16:19:18 -07:00 · 1af7f5a8c1
parent 81e4fb805c bca53ae40e
commit 1af7f5a8c1
1 changed files with 14 additions and 0 deletions
--- a/app/Http/Controllers/FederationController.php
+++ b/app/Http/Controllers/FederationController.php
@ -199,9 +199,16 @@ XML;
        $body = $request->getContent();
        $bodyDecoded = json_decode($body, true, 8);
        $signature = $request->header('signature');
+        $date = $request->header('date');
        if(!$signature) {
            abort(400, 'Missing signature header');
        }
+        if(!$date) {
+            abort(400, 'Missing date header');
+        }
+        if(!now()->parse($date)->gt(now()->subDays(1)) || !now()->parse($date)->lt(now()->addDays(1))) {
+            abort(400, 'Invalid date');
+        }
        $signatureData = HttpSignature::parseSignatureHeader($signature);
        $keyId = Helpers::validateUrl($signatureData['keyId']);
        $id = Helpers::validateUrl($bodyDecoded['id']);
@ -235,9 +242,16 @@ XML;
    protected function blindKeyRotation(Request $request, Profile $profile)
    {
        $signature = $request->header('signature');
+        $date = $request->header('date');
        if(!$signature) {
            abort(400, 'Missing signature header');
        }
+        if(!$date) {
+            abort(400, 'Missing date header');
+        }
+        if(!now()->parse($date)->gt(now()->subDays(1)) || !now()->parse($date)->lt(now()->addDays(1))) {
+            abort(400, 'Invalid date');
+        }
        $signatureData = HttpSignature::parseSignatureHeader($signature);
        $keyId = Helpers::validateUrl($signatureData['keyId']);
        $actor = Profile::whereKeyId($keyId)->whereNotNull('remote_url')->firstOrFail();