discord-api-docs
discord-api-docs copied to clipboard
X-Signature-Timestamp guidelines + its (and X-Signature-Ed25519) format?
Description
The X-Signature-Timestamp header seems to be a handy way to discourage replay attacks and make old signatures worthless after enough time has passed. I'd love to verify that the timestamp is within an acceptably recent duration to prevent an old signature from passing verification again now. However, there doesn't seem to be any description of how to use it. What's a good duration after which to declare a timestamp too old? What format should I expect to receive the timestamp in?
Additionally, it would be good to have - somewhere in the prose - the information that the X-Signature-Ed25519 signature will be transmitted in hex and that the timestamp text is expected to be concatenated to the body text. (Both are clearly visible in the code examples, but it helps to put it in the prose since the code is likely to be skimmed.)
Steps to Reproduce
- Read https://discord.com/developers/docs/interactions/receiving-and-responding#security-and-authorization
- Look for information about the format of the timestamp or acceptable amount of delay
Expected Behavior
- There's some indication for how to handle the timestamp
Current Behavior
- The code example only shows the timestamp being concatenated to the body and no textual information is given
Screenshots/Videos
No response
Client and System Information
N/A
It would also be good to document what the format of the timestamp is. I've seen some indication that it's "seconds since epoch" (https://github.com/discord/discord-api-docs/issues/2359), though not the timezone of the timestamp. Alternatively, is it ISO 8601?