discord-api-docs icon indicating copy to clipboard operation
discord-api-docs copied to clipboard

Published 20 hours ago verified publisher icon discord

X-Signature-Timestamp guidelines + its (and X-Signature-Ed25519) format?

Open programmablereya opened this issue 1 year ago • 1 comments

Description

The X-Signature-Timestamp header seems to be a handy way to discourage replay attacks and make old signatures worthless after enough time has passed. I'd love to verify that the timestamp is within an acceptably recent duration to prevent an old signature from passing verification again now. However, there doesn't seem to be any description of how to use it. What's a good duration after which to declare a timestamp too old? What format should I expect to receive the timestamp in?

Additionally, it would be good to have - somewhere in the prose - the information that the X-Signature-Ed25519 signature will be transmitted in hex and that the timestamp text is expected to be concatenated to the body text. (Both are clearly visible in the code examples, but it helps to put it in the prose since the code is likely to be skimmed.)

Steps to Reproduce

  • Read https://discord.com/developers/docs/interactions/receiving-and-responding#security-and-authorization
  • Look for information about the format of the timestamp or acceptable amount of delay

Expected Behavior

  • There's some indication for how to handle the timestamp

Current Behavior

  • The code example only shows the timestamp being concatenated to the body and no textual information is given

Screenshots/Videos

No response

Client and System Information

N/A

programmablereya avatar Jun 04 '23 19:06 programmablereya

It would also be good to document what the format of the timestamp is. I've seen some indication that it's "seconds since epoch" (https://github.com/discord/discord-api-docs/issues/2359), though not the timezone of the timestamp. Alternatively, is it ISO 8601?

jonhoo avatar Jan 20 '24 10:01 jonhoo