Add support for special headers `(created)` and `(expires)`
For these two headers you need to include them in the Signature field while signing, and read them off of the Signature header while validating. This comes from ref 11+ of the cavage draft: https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-12#section-2.1.4
See #2, https://akkoma.dev/AkkomaGang/akkoma/issues/797, https://github.com/superseriousbusiness/gotosocial/issues/2991.
Note that the following checks are yet implemented, I wonder if you would like to include them:
-
Require that createdandexpiresare timestamps -
Require that the two timestamps are in the past/future respectively -
Require that keys including these two in the headers are not rsa,hmacorecdsa