From 4e445a7207d69dd75667b7d66820e125c5789c07 Mon Sep 17 00:00:00 2001
From: Thomas Sileo <t@a4.io>
Date: Fri, 26 Aug 2022 23:35:58 +0200
Subject: [PATCH] Prevent replay attacks with TLS1.3 0-RTT

---
 app/main.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/app/main.py b/app/main.py
index 3c45ea8..cdb7205 100644
--- a/app/main.py
+++ b/app/main.py
@@ -8,6 +8,7 @@ from typing import Any
 from typing import MutableMapping
 from typing import Type
 
+import fastapi
 import httpx
 import starlette
 from asgiref.typing import ASGI3Application
@@ -165,7 +166,15 @@ class CustomMiddleware:
         return None
 
 
-app = FastAPI(docs_url=None, redoc_url=None)
+def _check_0rtt_early_data(request: Request) -> None:
+    """Disable TLS1.3 0-RTT requests for non-GET."""
+    if request.headers.get("Early-Data", None) == "1" and request.method != "GET":
+        raise fastapi.HTTPException(status_code=425, detail="Too early")
+
+
+app = FastAPI(
+    docs_url=None, redoc_url=None, dependencies=[Depends(_check_0rtt_early_data)]
+)
 app.mount(
     "/custom_emoji",
     StaticFiles(directory="data/custom_emoji"),