From fb6904ae9bb1178f199117d1b212ca158643eea0 Mon Sep 17 00:00:00 2001
From: Travis Ralston <travis@t2bot.io>
Date: Fri, 30 Aug 2024 11:41:54 -0600
Subject: [PATCH] Ensure remote signing keys expire after at most 7 days

---
 CHANGELOG.md               | 1 +
 matrix/requests_signing.go | 5 ++++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3f2137f0..e49c664c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
 * Return a 404 instead of 500 when clients access media which is frozen.
 * Ensure the request parameters are correctly set for authenticated media client requests.
+* Ensure remote signing keys expire after at most 7 days.
 
 ## [1.3.7] - July 30, 2024
 
diff --git a/matrix/requests_signing.go b/matrix/requests_signing.go
index da97ea94..0524a31d 100644
--- a/matrix/requests_signing.go
+++ b/matrix/requests_signing.go
@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"math"
 	"net/http"
 	"sync"
 	"time"
@@ -128,11 +129,13 @@ func QuerySigningKeys(serverName string) (ServerSigningKeys, error) {
 		if keyInfo.ServerName != serverName {
 			return nil, fmt.Errorf("got keys for '%s' but expected '%s'", keyInfo.ServerName, serverName)
 		}
+		maxValidity := time.Now().Add(7 * 24 * time.Hour)
 		if keyInfo.ValidUntilTs <= util.NowMillis() {
 			return nil, errors.New("returned server keys are expired")
 		}
+		keyInfo.ValidUntilTs = int64(math.Min(float64(keyInfo.ValidUntilTs), float64(maxValidity.UnixMilli())))
 		cacheUntil := time.Until(time.UnixMilli(keyInfo.ValidUntilTs)) / 2
-		if cacheUntil <= (6 * time.Second) {
+		if cacheUntil <= (1 * time.Minute) {
 			return nil, errors.New("returned server keys would expire too quickly")
 		}