From 840a4173bbaeb87921d21efb552c8e91f87e6258 Mon Sep 17 00:00:00 2001
From: simon987 <fortier.simon@protonmail.com>
Date: Fri, 1 Mar 2019 21:05:26 -0500
Subject: [PATCH] Add timestamp in hmac auth

---
 api/task.go    | 25 ++++++++++++++++++++++++-
 test/common.go | 10 ++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/api/task.go b/api/task.go
index 75f0fe9..8a35f5f 100644
--- a/api/task.go
+++ b/api/task.go
@@ -10,6 +10,7 @@ import (
 	"github.com/Sirupsen/logrus"
 	"github.com/dchest/siphash"
 	"github.com/simon987/task_tracker/storage"
+	"math"
 	"strconv"
 	"time"
 )
@@ -17,7 +18,7 @@ import (
 func (api *WebAPI) SubmitTask(r *Request) {
 
 	worker, err := api.validateSignature(r)
-	if worker == nil {
+	if err != nil {
 		r.Json(JsonResponse{
 			Ok:      false,
 			Message: err.Error(),
@@ -138,11 +139,32 @@ func (api *WebAPI) GetTaskFromProject(r *Request) {
 func (api WebAPI) validateSignature(r *Request) (*storage.Worker, error) {
 
 	widStr := string(r.Ctx.Request.Header.Peek("X-Worker-Id"))
+	timeStampStr := string(r.Ctx.Request.Header.Peek("Timestamp"))
 	signature := r.Ctx.Request.Header.Peek("X-Signature")
 
 	if widStr == "" {
 		return nil, errors.New("worker id not specified")
 	}
+	if timeStampStr == "" {
+		return nil, errors.New("date is not specified")
+	}
+
+	timestamp, err := time.Parse(time.RFC1123, timeStampStr)
+	if err != nil {
+		logrus.WithError(err).WithFields(logrus.Fields{
+			"date": timeStampStr,
+		}).Warn("Can't parse Timestamp")
+
+		return nil, err
+	}
+
+	if math.Abs(float64(timestamp.Unix()-time.Now().Unix())) > 60 {
+		logrus.WithError(err).WithFields(logrus.Fields{
+			"date": timeStampStr,
+		}).Warn("Invalid Timestamp")
+
+		return nil, errors.New("invalid Timestamp")
+	}
 
 	wid, err := strconv.ParseInt(widStr, 10, 64)
 	if err != nil {
@@ -172,6 +194,7 @@ func (api WebAPI) validateSignature(r *Request) (*storage.Worker, error) {
 
 	mac := hmac.New(crypto.SHA256.New, worker.Secret)
 	mac.Write(body)
+	mac.Write([]byte(timeStampStr))
 
 	expectedMac := make([]byte, 64)
 	hex.Encode(expectedMac, mac.Sum(nil))
diff --git a/test/common.go b/test/common.go
index 8892f44..b1c240c 100644
--- a/test/common.go
+++ b/test/common.go
@@ -14,6 +14,7 @@ import (
 	"io/ioutil"
 	"net/http"
 	"strconv"
+	"time"
 )
 
 type SessionContext struct {
@@ -39,12 +40,17 @@ func Post(path string, x interface{}, worker *storage.Worker, s *http.Client) *h
 	handleErr(err)
 
 	if worker != nil {
+
+		ts := time.Now().Format(time.RFC1123)
+
 		mac := hmac.New(crypto.SHA256.New, worker.Secret)
 		mac.Write(body)
+		mac.Write([]byte(ts))
 		sig := hex.EncodeToString(mac.Sum(nil))
 
 		req.Header.Add("X-Worker-Id", strconv.FormatInt(worker.Id, 10))
 		req.Header.Add("X-Signature", sig)
+		req.Header.Add("Timestamp", ts)
 	}
 
 	r, err := s.Do(req)
@@ -64,12 +70,16 @@ func Get(path string, worker *storage.Worker, s *http.Client) *http.Response {
 
 	if worker != nil {
 
+		ts := time.Now().Format(time.RFC1123)
+
 		mac := hmac.New(crypto.SHA256.New, worker.Secret)
 		mac.Write([]byte(path))
+		mac.Write([]byte(ts))
 		sig := hex.EncodeToString(mac.Sum(nil))
 
 		req.Header.Add("X-Worker-Id", strconv.FormatInt(worker.Id, 10))
 		req.Header.Add("X-Signature", sig)
+		req.Header.Add("Timestamp", ts)
 	}
 
 	r, err := s.Do(req)