Clarify optional timestamp validation in HMAC authentication

GrantBirki · GrantBirki · commit e0875503be32 · 2025-06-16T21:21:01.000-07:00
diff --git a/lib/hooks/plugins/auth/hmac.rb b/lib/hooks/plugins/auth/hmac.rb
@@ -162,6 +162,8 @@ def self.valid?(payload:, headers:, config:)
           end
 
           # Validate timestamp if required (for services that include timestamp validation)
+          # It should be noted that not all HMAC implementations require timestamp validation,
+          # so this is optional based on configuration.
           if validator_config[:timestamp_header]
             unless valid_timestamp?(normalized_headers, validator_config)
               log.warn("Auth::HMAC validation failed: Invalid timestamp")
