diff options
| author | Francois Kritzinger <francois@codesynthesis.com> | 2024-02-12 11:23:16 +0200 |
|---|---|---|
| committer | Francois Kritzinger <francois@codesynthesis.com> | 2024-10-15 09:05:27 +0200 |
| commit | e3c374f2d6c00df3031a804e508565a04b2f0407 (patch) | |
| tree | 6b20124d0962dca13c1951d24721060de2a0f714 /mod/mod-ci-github.cxx | |
| parent | 0856f9ad26a8d9679f1fad03f7bf30153d278910 (diff) | |
Post-review changes
Diffstat (limited to 'mod/mod-ci-github.cxx')
| -rw-r--r-- | mod/mod-ci-github.cxx | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/mod/mod-ci-github.cxx b/mod/mod-ci-github.cxx index 86f52b9..53ec9a7 100644 --- a/mod/mod-ci-github.cxx +++ b/mod/mod-ci-github.cxx @@ -235,13 +235,15 @@ handle (request& rq, response& rs) try { - // Use the maximum validity period allowed by GitHub (10 minutes). - // @@ Let's make configurable. + // Set token's "issued at" time 60 seconds in the past to combat clock + // drift (as recommended by GitHub). // - string jwt (gen_jwt (*options_, - options_->ci_github_app_private_key (), - to_string (options_->ci_github_app_id ()), - chrono::minutes (10))); + string jwt (gen_jwt ( + *options_, + options_->ci_github_app_private_key (), + to_string (options_->ci_github_app_id ()), + chrono::minutes (options_->ci_github_jwt_validity_period ()), + chrono::seconds (60))); if (jwt.empty ()) fail << "unable to generate JWT: " << options_->openssl () @@ -275,6 +277,9 @@ handle (request& rq, response& rs) // // Note: these exceptions end up in the apache error log. // + // @@ TMP Actually I was wrong, these do not end up in any logs. Pretty + // sure I saw them go there but they're definitely not anymore. + // throw invalid_request (400, "malformed JSON in request body"); } } |