fix: verifyNotificationSignature timestamps are in seconds (#515)

rayeeroded · web-flow · commit 7dcdd278da4c · 2021-09-12T15:36:34.000+03:00
diff --git a/lib-es5/utils/index.js b/lib-es5/utils/index.js
@@ -1125,7 +1125,7 @@ function webhook_signature(data, timestamp) {
  * Verifies the authenticity of a notification signature
  *
  * @param {string} body JSON of the request's body
- * @param {number} timestamp Unix timestamp. Can be retrieved from the X-Cld-Timestamp header
+ * @param {number} timestamp Unix timestamp in seconds. Can be retrieved from the X-Cld-Timestamp header
  * @param {string} signature Actual signature. Can be retrieved from the X-Cld-Signature header
  * @param {number} [valid_for=7200] The desired time in seconds for considering the request valid
  *
@@ -1135,7 +1135,7 @@ function verifyNotificationSignature(body, timestamp, signature) {
   var valid_for = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : 7200;
 
   // verify that signature is valid for the given timestamp
-  if (timestamp < Date.now() - valid_for) {
+  if (timestamp < Math.round(Date.now() / 1000) - valid_for) {
     return false;
   }
   var payload_hash = utils.webhook_signature(body, timestamp, {
diff --git a/lib/utils/index.js b/lib/utils/index.js
@@ -1036,15 +1036,15 @@ function webhook_signature(data, timestamp, options = {}) {
  * Verifies the authenticity of a notification signature
  *
  * @param {string} body JSON of the request's body
- * @param {number} timestamp Unix timestamp. Can be retrieved from the X-Cld-Timestamp header
+ * @param {number} timestamp Unix timestamp in seconds. Can be retrieved from the X-Cld-Timestamp header
  * @param {string} signature Actual signature. Can be retrieved from the X-Cld-Signature header
  * @param {number} [valid_for=7200] The desired time in seconds for considering the request valid
  *
  * @return {boolean}
  */
 function verifyNotificationSignature(body, timestamp, signature, valid_for = 7200) {
   // verify that signature is valid for the given timestamp
-  if (timestamp < Date.now() - valid_for) {
+  if (timestamp < Math.round(Date.now() / 1000) - valid_for) {
     return false;
   }
   const payload_hash = utils.webhook_signature(body, timestamp, {
diff --git a/test/utils/utils_spec.js b/test/utils/utils_spec.js
@@ -1459,8 +1459,8 @@ describe("utils", function () {
         'width': 100,
         'height': 100
       };
-      valid_response_timestamp = Date.now() - 5000;
-      invalid_response_timestamp = Date.now() - 50 * 1000;
+      valid_response_timestamp = (Date.now()/1000) - 5000;
+      invalid_response_timestamp = (Date.now()/1000) - 10000;
       response_json = JSON.stringify(expected_parameters);
       unexpected_response_json = JSON.stringify(unexpected_parameters);
     });

Original file line number	Diff line number	Diff line change
`@@ -1125,7 +1125,7 @@ function webhook_signature(data, timestamp) {`
`1125`	`1125`	`* Verifies the authenticity of a notification signature`
`1126`	`1126`	`*`
`1127`	`1127`	`* @param {string} body JSON of the request's body`
`1128`		`- * @param {number} timestamp Unix timestamp. Can be retrieved from the X-Cld-Timestamp header`
	`1128`	`+ * @param {number} timestamp Unix timestamp in seconds. Can be retrieved from the X-Cld-Timestamp header`
`1129`	`1129`	`* @param {string} signature Actual signature. Can be retrieved from the X-Cld-Signature header`
`1130`	`1130`	`* @param {number} [valid_for=7200] The desired time in seconds for considering the request valid`
`1131`	`1131`	`*`
`@@ -1135,7 +1135,7 @@ function verifyNotificationSignature(body, timestamp, signature) {`
`1135`	`1135`	`var valid_for = arguments.length > 3 && arguments[3] !== undefined ? arguments[3] : 7200;`
`1136`	`1136`
`1137`	`1137`	`// verify that signature is valid for the given timestamp`
`1138`		`- if (timestamp < Date.now() - valid_for) {`
	`1138`	`+ if (timestamp < Math.round(Date.now() / 1000) - valid_for) {`
`1139`	`1139`	`return false;`
`1140`	`1140`	`}`
`1141`	`1141`	`var payload_hash = utils.webhook_signature(body, timestamp, {`
Original file line number	Diff line number	Diff line change
`@@ -1036,15 +1036,15 @@ function webhook_signature(data, timestamp, options = {}) {`
`1036`	`1036`	`* Verifies the authenticity of a notification signature`
`1037`	`1037`	`*`
`1038`	`1038`	`* @param {string} body JSON of the request's body`
`1039`		`- * @param {number} timestamp Unix timestamp. Can be retrieved from the X-Cld-Timestamp header`
	`1039`	`+ * @param {number} timestamp Unix timestamp in seconds. Can be retrieved from the X-Cld-Timestamp header`
`1040`	`1040`	`* @param {string} signature Actual signature. Can be retrieved from the X-Cld-Signature header`
`1041`	`1041`	`* @param {number} [valid_for=7200] The desired time in seconds for considering the request valid`
`1042`	`1042`	`*`
`1043`	`1043`	`* @return {boolean}`
`1044`	`1044`	`*/`
`1045`	`1045`	`function verifyNotificationSignature(body, timestamp, signature, valid_for = 7200) {`
`1046`	`1046`	`// verify that signature is valid for the given timestamp`
`1047`		`- if (timestamp < Date.now() - valid_for) {`
	`1047`	`+ if (timestamp < Math.round(Date.now() / 1000) - valid_for) {`
`1048`	`1048`	`return false;`
`1049`	`1049`	`}`
`1050`	`1050`	`const payload_hash = utils.webhook_signature(body, timestamp, {`