request_too_old? but no check for request_time_invalid?

[DiegoSalazar]

An API client of ours was implementing an HTTP client for our web service and in helping them get it right they finally succeeded in correctly constructing the signature, but the HTTP_DATE was a day in the future and the request authenticated successfully.

This raised the question of whether or not a more thorough invalid date check is needed.

Should the authentic? method check that a request is both not too old and not too new? Perhaps neither more than 15 minutes in the past and future?

[kjg]

Thanks for brining this up! Yes, this should probably be addressed and #119 has already started on it.