From 99eba80a9a7b515fda3c0b40d3f8753aa925a3ba Mon Sep 17 00:00:00 2001 From: Alex Gleason Date: Sat, 18 Feb 2023 14:57:55 -0600 Subject: [PATCH] Sign the `Date` header instead of using `(created)` in HTTP Signatures --- backend/src/utils/http-signing.ts | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/backend/src/utils/http-signing.ts b/backend/src/utils/http-signing.ts index 2320d78..631b8da 100644 --- a/backend/src/utils/http-signing.ts +++ b/backend/src/utils/http-signing.ts @@ -15,21 +15,22 @@ export async function signRequest(request: Request, key: CryptoKey, keyId: URL): ) mySigner.alg = 'hs2019' as Algorithm + if (!request.headers.has('Date')) { + request.headers.set('Date', new Date().toUTCString()) + } + if (!request.headers.has('Host')) { const url = new URL(request.url) request.headers.set('Host', url.host) } - const components = ['@request-target', 'host'] + const components = ['@request-target', 'date', 'host'] if (request.method == 'POST') { components.push('digest') } await sign(request, { components: components, - parameters: { - created: Math.floor(Date.now() / 1000), - }, keyId: keyId.toString(), signer: mySigner, })