diff options
author | Francois Kritzinger <francois@codesynthesis.com> | 2024-02-12 11:23:16 +0200 |
---|---|---|
committer | Francois Kritzinger <francois@codesynthesis.com> | 2024-06-05 09:12:45 +0200 |
commit | 6a7e81b3d331c84633732d6b80d82fcbeb9eed44 (patch) | |
tree | ab9f5b5dc30612bdf89c76c1e8880c0d308f19be /mod/mod-ci-github.cxx | |
parent | 3d53ca86d53c119e9b937d3a51571127f75b140c (diff) |
Post-review changes
Diffstat (limited to 'mod/mod-ci-github.cxx')
-rw-r--r-- | mod/mod-ci-github.cxx | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/mod/mod-ci-github.cxx b/mod/mod-ci-github.cxx index 86f52b9..53ec9a7 100644 --- a/mod/mod-ci-github.cxx +++ b/mod/mod-ci-github.cxx @@ -235,13 +235,15 @@ handle (request& rq, response& rs) try { - // Use the maximum validity period allowed by GitHub (10 minutes). - // @@ Let's make configurable. + // Set token's "issued at" time 60 seconds in the past to combat clock + // drift (as recommended by GitHub). // - string jwt (gen_jwt (*options_, - options_->ci_github_app_private_key (), - to_string (options_->ci_github_app_id ()), - chrono::minutes (10))); + string jwt (gen_jwt ( + *options_, + options_->ci_github_app_private_key (), + to_string (options_->ci_github_app_id ()), + chrono::minutes (options_->ci_github_jwt_validity_period ()), + chrono::seconds (60))); if (jwt.empty ()) fail << "unable to generate JWT: " << options_->openssl () @@ -275,6 +277,9 @@ handle (request& rq, response& rs) // // Note: these exceptions end up in the apache error log. // + // @@ TMP Actually I was wrong, these do not end up in any logs. Pretty + // sure I saw them go there but they're definitely not anymore. + // throw invalid_request (400, "malformed JSON in request body"); } } |