Release v1.0.0 of web-bot-auth crates #66
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
generation This change amends the `http-signature-dir` to print an error log whendirectories mistakenly sign `@authority` without the `req` parameter. It fixes a bug with the example signature agent card generation where only the host component was used to sign `@authority`, rather than the full host and port pair (i.e. the _actual_ authority component). This led to verifiers being unable to verify generated signatures. It fixes some minor comments and superfluous Github Actions changes, and does some basic refactoring to make the logic a bit more straightforward in the example. Importantly, it also adds the `alg` parameter in generated signatures - this is in line with the opinionated signing we do, whereby other elements normal to web bot auth are also enforced for arbitrary HTTP signatures.
AkshatM
force-pushed
the
akshat/release-1.0.0
branch
4 times, most recently
from
b18d91c to
b044e22
Compare
These include some pretty significant and breaking changes: 1. Dependency on `time` library is now required instead of `std::time` for all API users. As a bonus, however, we gain support on Cloudflare Workers as well as removal of a class of errors related to system clocks and `created` / `expires` parsing. 2. A number of constructs were removed: `WebBotAuthSignedMessage`, `SignedMessage::fetch_all_signature_headers` and `SignedMessage::fetch_all_signature_inputs`. The library now exposes a single method to look up components to verify. 3. `Signature-Agent` can now be parsed as a dictionary, but retains support for being parsed as a raw string. 4. It enforces use of `req` parameter in `http-message-dir`. This is in line with the specification, but can break verification of existing sites. These changes are sufficiently breaking enough to justify using semver bump. I also removed the pin to Rust v1.87 in the Github Actions handler. This ensures we're building against the latest available Rust version.
AkshatM
force-pushed
the
akshat/release-1.0.0
branch
from
b044e22 to
e57d395
Compare
thibmeu
reviewed
Dec 18, 2025
| resolver = "2" | ||
|
|
||
| [workspace.package] | ||
| version = "0.5.1" |
Collaborator
There was a problem hiding this comment.
given the spec is still evolving, I'd rather cut 0.6.0
thibmeu
reviewed
Dec 18, 2025
Collaborator
thibmeu
left a comment
thibmeu
left a comment
There was a problem hiding this comment.
overall ok. need to move to 0.6.0 instead I think
thibmeu
reviewed
Dec 18, 2025
Comment on lines
-52
to
-53
| - run: cargo build --all --verbose --exclude plexi-cli --all-features --tests | ||
| - run: cargo build --all --verbose --exclude plexi-cli --exclude http-signature-directory --all-features --tests --target wasm32-unknown-unknown |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Release v1.0.0 of web-bot-auth crates
These include some pretty significant and breaking changes:
Dependency on
timelibrary is now required instead ofstd::timefor all API users. As a bonus, however, we gain support on Cloudflare
Workers as well as removal of a class of errors related to system
clocks and
created/expiresparsing.A number of constructs were removed:
WebBotAuthSignedMessage,SignedMessage::fetch_all_signature_headersandSignedMessage::fetch_all_signature_inputs. The library now exposesa single method to look up components to verify.
Signature-Agentcan now be parsed as a dictionary, but retainssupport for being parsed as a raw string.
It enforces use of
reqparameter for@authorityinhttp-message-dir. This is inline with the specification, but can break verification of existing
sites.
These changes are sufficiently breaking enough to justify using semver
bump.
Make
@authority;reqerrors more prominent + fix example signature generationThis change amends the
http-signature-dirto print an error logwhendirectories mistakenly sign
@authoritywithout thereqparameter.
It fixes a bug with the example signature agent card generation where
only the host component was used to sign
@authority, rather than thefull host and port pair (i.e. the actual authority component). This
led to verifiers being unable to verify generated signatures.
It fixes some minor comments and superfluous Github Actions changes,
and does some basic refactoring to make the logic a bit more
straightforward in the example. Importantly, it also adds the
algparameter in generated signatures - this is in line with theopinionated signing we do, whereby other elements normal to web bot auth
are also enforced for arbitrary HTTP signatures.
I also removed the pin on Rust v1.87 in Github Actions, this way we always test against
the latest Rust version.