check signature check teim stamp too old or too new.

server.go

@@ -11,7 +11,9 @@ import (
 	"net/url"
 	"os"
 	"sort"
+	"strconv"
 	"strings"
+	"time"
 )
 
 //apiV1Main  version 1 main entry for all wechat callbacks
@@ -148,6 +150,9 @@ func checkSignature(r *http.Request) bool {
 }
 
 func verifySignature(signature, timestamp, nonce, token string) bool {
+	if timestampTooOldStr(timestamp) {
+		return false
+	}
 	//sort token, timestamp, nonce  and join them
 	strs := []string{token, timestamp, nonce}
 	sort.Strings(strs)
@@ -160,6 +165,24 @@ func verifySignature(signature, timestamp, nonce, token string) bool {
 	return signature == calculated
 }
 
+func timestampTooOldStr(timestamp string) bool {
+	ts, err := strconv.Atoi(timestamp)
+	if err != nil {
+		return true
+	}
+	return timestampTooOld(int32(ts))
+}
+
+func timestampTooOld(ts int32) bool {
+	//diff > 3min from now
+	now := int32(time.Now().Unix())
+	diff := now - ts
+	if diff < 0 {
+		diff = -diff
+	}
+	return diff > 180 //3 minutes, 180 seconds
+}
+
 // func checkSignature1() bool {
 // 	s1 := "e39de9f2e28079c01ebb4b803dfc3442b819545c"
 // 	t1 := "1492970761"