Auth over HTTP

⚠️ Warning: This is ONLY a proof of concept. It is NOT ready for production use. DO NOT USE THIS IN PRODUCTION.

This repo contains a proof of concept for HTTP Authentication for canisters. It showcases how to use HTTP Message Signatures to authenticate requests to a canister.

Advantages

Using HTTP Message Signatures instead of the custom authentication mechanism has the following advantages:

• Uses an IETF standard for authentication that does not require setting custom fields in the request body
• Removes the need of CBOR for encoding messages sent to and received from canisters. As a consequence:
  • Canisters can expose their API using their preferred standard (e.g. OpenAPI, gRPC, etc.)
  • Existing and widely adopted API standards (REST, GraphQL, etc.) can be used to interact with canisters, enabling popular tools and libraries to be used
  • Developing client and server side code is easy, as the requests and responses are standard HTTP requests and responses

Try It Out

The todo app example is available on mainnet at https://a5eh2-zqaaa-aaaac-qad2a-cai.icp0.io/

Components

Examples:

• todo-app: A simple todo app. The backend canister exposes the API using REST.

Packages:

• ic-http-auth: The canister side library for verifying HTTP Message Signatures
• http-auth-js: The client side library for sending signed HTTP requests to a canister
• insomnia-plugin-ic-http-auth: An Insomnia plugin for sending signed HTTP requests to a canister

Prerequisites

Make sure you have the following installed:

• pnpm
• dfx
• Rust

Run It Locally

After cloning the repository, install the dependencies:

pnpm i
dfx deps pull

Then, start the local network:

dfx start --background --clean

Then, deploy the canisters:

dfx deps deploy
dfx deploy

In the output, you will see a URL similar to http://<canister-id>.localhost:4943. Open this URL in your browser to see the todo app running locally.

Benchmarks

At the current state, the proof of concept verifies signatures of requests sent to the canister inside the canisters directly. Verifying canister signatures is

We use Canbench to benchmark the performance of some functions of the ic-http-auth package.

To run the benchmarks, first install the canbench CLI:

cargo install canbench

Then, run the benchmarks:

cd packages/ic-http-auth
canbench

The latest results can be found in the canbench_results.yml file.

Note: if you want to update the benchmarks results, you can run the benchmarks with the --persist flag:

canbench --persist

Contributing

Contributions are welcome! Please see the contribution guide for more information.

License

This project is licensed under the Apache-2.0 license.