Merge pull request #65 from github/time-skew

levenleven · web-flow · commit 55b5c7b9cb6c · 2024-07-02T12:40:05.000+03:00
fix: allow 5 mins time drift
diff --git a/lib/chatops.rb b/lib/chatops.rb
@@ -11,6 +11,8 @@ module Chatops
     threaded_and_channel: 2,
   }.freeze
 
+  ALLOWED_TIME_SKEW_MINS = 5
+
   def self.public_key
     ENV[public_key_env_var_name]
   end
diff --git a/lib/chatops/controller.rb b/lib/chatops/controller.rb
@@ -168,8 +168,8 @@ def ensure_valid_chatops_signature
     def ensure_valid_chatops_timestamp
       @chatops_timestamp = request.headers["Chatops-Timestamp"]
       time = Time.iso8601(@chatops_timestamp)
-      if !(time > 1.minute.ago && time < 1.minute.from_now)
-        return jsonrpc_error(-32803, 403, "Chatops timestamp not within 1 minute of server time: #{@chatops_timestamp} vs #{Time.now.utc.iso8601}")
+      if !(time > Chatops::ALLOWED_TIME_SKEW_MINS.minute.ago && time < Chatops::ALLOWED_TIME_SKEW_MINS.minute.from_now)
+        return jsonrpc_error(-32803, 403, "Chatops timestamp not within #{Chatops::ALLOWED_TIME_SKEW_MINS} minutes of server time: #{@chatops_timestamp} vs #{Time.now.utc.iso8601}")
       end
     rescue ArgumentError, TypeError
       # time parsing or missing can raise these
diff --git a/lib/chatops/controller/version.rb b/lib/chatops/controller/version.rb
@@ -1,3 +1,3 @@
 module ChatopsController
-  VERSION = "5.2.0"
+  VERSION = "5.3.0"
 end
diff --git a/spec/lib/chatops/controller_spec.rb b/spec/lib/chatops/controller_spec.rb
@@ -177,9 +177,9 @@ def rails_flexible_post(path, outer_params, jsonrpc_params = nil)
     expect(response.status).to eq 403
   end
 
-  it "doesn't allow requests more than 1 minute old" do
+  it "doesn't allow requests more than 5 minute old" do
     nonce = SecureRandom.hex(20)
-    timestamp = 2.minutes.ago.utc.iso8601
+    timestamp = 6.minutes.ago.utc.iso8601
     request.headers["Chatops-Nonce"] = nonce
     request.headers["Chatops-Timestamp"] = timestamp
     digest = OpenSSL::Digest::SHA256.new
@@ -188,12 +188,12 @@ def rails_flexible_post(path, outer_params, jsonrpc_params = nil)
     request.headers["Chatops-Signature"] = "Signature keyid=foo,signature=#{signature}"
     get :list
     expect(response.status).to eq 403
-    expect(response.body).to include "Chatops timestamp not within 1 minute"
+    expect(response.body).to include "Chatops timestamp not within 5 minutes"
   end
 
-  it "doesn't allow requests more than 1 minute in the future" do
+  it "doesn't allow requests more than 5 minute in the future" do
     nonce = SecureRandom.hex(20)
-    timestamp = 2.minutes.from_now.utc.iso8601
+    timestamp = 6.minutes.from_now.utc.iso8601
     request.headers["Chatops-Nonce"] = nonce
     request.headers["Chatops-Timestamp"] = timestamp
     digest = OpenSSL::Digest::SHA256.new
@@ -202,7 +202,7 @@ def rails_flexible_post(path, outer_params, jsonrpc_params = nil)
     request.headers["Chatops-Signature"] = "Signature keyid=foo,signature=#{signature}"
     get :list
     expect(response.status).to eq 403
-    expect(response.body).to include "Chatops timestamp not within 1 minute"
+    expect(response.body).to include "Chatops timestamp not within 5 minutes"
   end
 
   it "does not add authentication to non-chatops routes" do
