Restrict replay attacks with timestamp for outline

hackerembassy · Dec 29, 2024 · 7812c97 · 7812c97
1 parent b54ba20
commit 7812c97
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -131,7 +131,7 @@ HASSTOKEN - Home Assistant API token
 HACKERGOOGLEAPIKEY - Google Calendar API token  
 OPENAIAPIKEY - OpenAI API token  
 SONAR_TOKEN - Sonar Cloud analysis token  
-WIKIAPIKEY - Outline Wiki API token
+WIKIAPIKEY - Outline Wiki API token  
 OUTLINE_SIGNING_SECRET - Outline API signing secret for webhooks
 
 You can use a .env file in the root folder for development. Check the .env.example file for reference.

diff --git a/utils/middleware.ts b/utils/middleware.ts
@@ -7,6 +7,7 @@ import { Logger } from "winston";
 
 import { decrypt } from "./security";
 import { safeJsonStringify } from "./text";
+import { MINUTE } from "./date";
 
 // Optional type for a legacy hass module
 type RequestWithOptionalTokenBody = Request<ParamsDictionary, any, Optional<{ token?: string }>, ParsedQs, Record<string, any>>;
@@ -89,6 +90,14 @@ export function createOutlineVerificationMiddleware(logger: Logger, token?: stri
         }
 
         const [timestamp, signature] = header.split(",").map(part => part.split("=")[1]);
+        const parsedTimestamp = Number(timestamp);
+
+        if (isNaN(parsedTimestamp) || parsedTimestamp < Date.now() - MINUTE) {
+            logger.error(`Got request with outdated outline signature from ${req.ip}`);
+            res.status(401).send({ message: "Request is outdated" });
+            return;
+        }
+
         const bodyString = safeJsonStringify(req.body);
 
         if (!bodyString) {