Ensure remote signing keys expire after at most 7 days (#613)

t2bot · Sep 4, 2024 · c1d9025 · c1d9025
1 parent 7d4e9d5
commit c1d9025
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -11,6 +11,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 * Return a 404 instead of 500 when clients access media which is frozen.
 * Ensure the request parameters are correctly set for authenticated media client requests.
+* Ensure remote signing keys expire after at most 7 days.
 * Fixed parsing of `Authorization` headers for federated servers.
 
 ## [1.3.7] - July 30, 2024

diff --git a/matrix/requests_signing.go b/matrix/requests_signing.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"math"
 	"net/http"
 	"sync"
 	"time"
@@ -128,11 +129,13 @@ func QuerySigningKeys(serverName string) (ServerSigningKeys, error) {
 		if keyInfo.ServerName != serverName {
 			return nil, fmt.Errorf("got keys for '%s' but expected '%s'", keyInfo.ServerName, serverName)
 		}
+		maxValidity := time.Now().Add(7 * 24 * time.Hour)
 		if keyInfo.ValidUntilTs <= util.NowMillis() {
 			return nil, errors.New("returned server keys are expired")
 		}
+		keyInfo.ValidUntilTs = int64(math.Min(float64(keyInfo.ValidUntilTs), float64(maxValidity.UnixMilli())))
 		cacheUntil := time.Until(time.UnixMilli(keyInfo.ValidUntilTs)) / 2
-		if cacheUntil <= (6 * time.Second) {
+		if cacheUntil <= (1 * time.Minute) {
 			return nil, errors.New("returned server keys would expire too quickly")
 		}