diff options
| author | Francois Kritzinger <francois@codesynthesis.com> | 2024-02-12 11:23:16 +0200 |
|---|---|---|
| committer | Francois Kritzinger <francois@codesynthesis.com> | 2024-04-24 15:14:54 +0200 |
| commit | 9238928b2740b0b18bf420122942cf4a08d6bbfc (patch) | |
| tree | e8c1d7e1fd2f11752fbb8cf40e900a3e2326cc5a /mod/mod-ci-github.cxx | |
| parent | e385516c2accc0ef3f8469b767bf0c8a0374175d (diff) | |
Post-review changes
Diffstat (limited to 'mod/mod-ci-github.cxx')
| -rw-r--r-- | mod/mod-ci-github.cxx | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/mod/mod-ci-github.cxx b/mod/mod-ci-github.cxx index 86f52b9..53ec9a7 100644 --- a/mod/mod-ci-github.cxx +++ b/mod/mod-ci-github.cxx @@ -235,13 +235,15 @@ handle (request& rq, response& rs) try { - // Use the maximum validity period allowed by GitHub (10 minutes). - // @@ Let's make configurable. + // Set token's "issued at" time 60 seconds in the past to combat clock + // drift (as recommended by GitHub). // - string jwt (gen_jwt (*options_, - options_->ci_github_app_private_key (), - to_string (options_->ci_github_app_id ()), - chrono::minutes (10))); + string jwt (gen_jwt ( + *options_, + options_->ci_github_app_private_key (), + to_string (options_->ci_github_app_id ()), + chrono::minutes (options_->ci_github_jwt_validity_period ()), + chrono::seconds (60))); if (jwt.empty ()) fail << "unable to generate JWT: " << options_->openssl () @@ -275,6 +277,9 @@ handle (request& rq, response& rs) // // Note: these exceptions end up in the apache error log. // + // @@ TMP Actually I was wrong, these do not end up in any logs. Pretty + // sure I saw them go there but they're definitely not anymore. + // throw invalid_request (400, "malformed JSON in request body"); } } |