fix(s3s/ops): allow presigned url requests with up to 15 minutes cloc…

…k skew
Nugine · Nov 13, 2024 · c53867c · c53867c
1 parent 5d3ec1f
commit c53867c
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/crates/s3s/src/ops/signature.rs b/crates/s3s/src/ops/signature.rs
@@ -196,8 +196,16 @@ impl SignatureContext<'_> {
                 .ok_or_else(|| invalid_request!("invalid amz date"))?;
 
             let duration = now - date;
-            if duration.is_positive().not() {
-                return Err(invalid_request!("invalid presigned url date"))?;
+
+            // Allow requests that are up to 15 minutes in the future.
+            // This is to account for clock skew between the client and server.
+            // See also https://github.com/minio/minio/blob/b5177993b371817699d3fa25685f54f88d8bfcce/cmd/signature-v4.go#L238-L242
+
+            // TODO: configurable max_skew_time
+
+            let max_skew_time = time::Duration::seconds(15 * 60);
+            if duration.is_negative() && duration.abs() > max_skew_time {
+                return Err(s3_error!(RequestTimeTooSkewed, "presigned url date is later than server time too much"));
             }
 
             if duration > presigned_url.expires {