From 69750f6683ab1395450e86c38354697eeee39487 Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Sat, 18 Feb 2023 13:10:39 -0600
Subject: [PATCH 1/2] Don't sign the `(created)` header for HTTP signatures

---
 backend/src/utils/http-signing.ts | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/backend/src/utils/http-signing.ts b/backend/src/utils/http-signing.ts
index 2320d784a..84417f9a5 100644
--- a/backend/src/utils/http-signing.ts
+++ b/backend/src/utils/http-signing.ts
@@ -27,9 +27,6 @@ export async function signRequest(request: Request, key: CryptoKey, keyId: URL):
 
 	await sign(request, {
 		components: components,
-		parameters: {
-			created: Math.floor(Date.now() / 1000),
-		},
 		keyId: keyId.toString(),
 		signer: mySigner,
 	})

From 54376047365d82581304da8e1ddc8553c030a86c Mon Sep 17 00:00:00 2001
From: Alex Gleason <alex@alexgleason.me>
Date: Sat, 18 Feb 2023 13:31:17 -0600
Subject: [PATCH 2/2] Require date _or_ digest header when verifying HTTP
 Signatures

---
 backend/src/utils/httpsigjs/parser.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/backend/src/utils/httpsigjs/parser.ts b/backend/src/utils/httpsigjs/parser.ts
index fa39d2b7d..53d051aee 100644
--- a/backend/src/utils/httpsigjs/parser.ts
+++ b/backend/src/utils/httpsigjs/parser.ts
@@ -261,8 +261,8 @@ export function parseRequest(request: Request, options?: Options): ParsedSignatu
 
 	if (!parsed.params.signature) throw new InvalidHeaderError('signature was not specified')
 
-	if (['date', 'x-date', '(created)'].every((hdr) => parsedHeaders.indexOf(hdr) < 0)) {
-		throw new MissingHeaderError('no signed date header')
+	if (['date', 'x-date', '(created)', 'digest'].every((hdr) => parsedHeaders.indexOf(hdr) < 0)) {
+		throw new MissingHeaderError('no signed date or digest header')
 	}
 
 	// Check the algorithm against the official list