Use absolute timestamp delta to check hmac tolerance

This avoids unexpected behaviour if the timestamp of a worker is ahead of the webuis time.
os-autoinst · Jul 23, 2024 · 3883e61 · 3883e61
1 parent fd0c330
commit 3883e61
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/OpenQA/Shared/Controller/Auth.pm b/lib/OpenQA/Shared/Controller/Auth.pm
@@ -101,7 +101,7 @@ sub _is_timestamp_valid ($self, $our_timestamp, $remote_timestamp) {
     my $tolerance = $self->config->{api_hmac_time_tolerance}
       // 300;    # make extra sure this value is never empty to avoid security issues
 
-    return 1 if ($our_timestamp - $remote_timestamp <= $tolerance);
+    return 1 if (abs($our_timestamp - $remote_timestamp) <= $tolerance);
     $log->debug(
 qq{Timestamp mismatch over ${tolerance}s; our_timestamp: $our_timestamp, X-API-Microtime (from worker): $remote_timestamp}
     );