reject files with 10+ seconds in the future

because nobody who lets their time get that out of date nowadays is being honest

trying to make their post stick, are they?

cmd/realy/app/implementation.go

@@ -7,6 +7,7 @@ import (
 	"strconv"
 	"strings"
 	"sync"
+	"time"
 
 	"realy.lol/context"
 	"realy.lol/ec/schnorr"
@@ -72,6 +73,11 @@ func (r *Relay) AcceptEvent(c cx, evt *event.T, hr *http.Request, origin st,
 	if !r.AuthEnabled() {
 		return true, "", nil
 	}
+	if evt.CreatedAt.I64()-10 > time.Now().Unix() {
+		return false,
+			"realy does not accept timestamps that are so obviously fake, fix your clock",
+			nil
+	}
 	if len(authedPubkey) != 32 {
 		return false, fmt.Sprintf("client not authed with auth required %s", origin), nil
 	}

realy/version

@@ -1 +1 @@
-v1.2.31
+v1.2.32