From 46a4bec8bc8c65a6972ef171fff5b88fcafc2b9a Mon Sep 17 00:00:00 2001
From: nicksinger <nsinger@suse.de>
Date: Tue, 23 Jul 2024 13:13:25 +0200
Subject: [PATCH] Use absolut timestamp delta to check hmac tolerance

This avoids unexpected behaviour if the timestamp of a worker is ahead
of the webuis time.
---
 lib/OpenQA/Shared/Controller/Auth.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/OpenQA/Shared/Controller/Auth.pm b/lib/OpenQA/Shared/Controller/Auth.pm
index b6b2bdaf67c6..910f172ffce1 100644
--- a/lib/OpenQA/Shared/Controller/Auth.pm
+++ b/lib/OpenQA/Shared/Controller/Auth.pm
@@ -101,7 +101,7 @@ sub _is_timestamp_valid ($self, $our_timestamp, $remote_timestamp) {
     my $tolerance = $self->config->{api_hmac_time_tolerance}
       // 300;    # make extra sure this value is never empty to avoid security issues
 
-    return 1 if ($our_timestamp - $remote_timestamp <= $tolerance);
+    return 1 if (abs($our_timestamp - $remote_timestamp) <= $tolerance);
     $log->debug(
 qq{Timestamp mismatch over ${tolerance}s; our_timestamp: $our_timestamp, X-API-Microtime (from worker): $remote_timestamp}
     );