Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Maturing the API + adding verification #20

Closed
dhensby opened this issue Sep 16, 2022 · 2 comments
Closed

Maturing the API + adding verification #20

dhensby opened this issue Sep 16, 2022 · 2 comments

Comments

@dhensby
Copy link
Owner

dhensby commented Sep 16, 2022
edited

Maturing the API

In my mind the goal of this library is clear: The library should aim to deal with only HTTP Signatures and not deal with other related but not directly part of the signature issues. This means there should be no attempts made to do things like calculate or verify digest headers, nor attempt to worry about validating other parts of HTTP requests/responses except the http signature header(s).

This means there is no longer any need to worry about the body that will be passed to the HTTP request or that comes from the HTTP Response. The only parts of a request that we are concerned with are the headers, absolute url, and method. All components for a request signature can be derived from these parts alone.

At the moment the support for complex headers and components is limited, for example query parameters are not currently supported. The introduction of the structured-headers library should greatly help in this regard as the parsing of headers is not as straightforward as it may seem.

It should also be possible to add request-response binding to signatures.

Verification of signatures

At the moment verification of headers is completely missing from the library. This feature should be added.

Both key lookup and signature verification should be asynchronous.

Verification, like generation, of signatures does not require the full response, just the headers and status code. Further, to enable request-response binding the verifier needs access to the original request as well.

New requirements

Given the need to support request/response binding, it makes sense that there are separate function for signing/verifying requests and responses. At the moment there is an attempt to unify these use-cases in single functions, but that feels like the API is less clear and the code base needs to work in extra checks to be able to infer what is going on.

Therefore we need 4 distinct pieces of functionality:

  1. Sign requests
  2. Verify requests
  3. Sign responses (with request binding)
  4. Verify responses (with request binding)

Compatibility

The library aims to be compatible with built in node requests and other popular libraries like axios and should be simple to implement in an express middleware
@adrianhopebailie
Copy link

The introduction of the structured-headers library should greatly help in this regard as the parsing of headers is not as straightforward as it may seem.

The latest release of structured-headers is ready to pull in as a dependency now and replace the existing parsing and serialisation logic.

@dhensby
Copy link
Owner Author

dhensby commented Aug 3, 2023

closed by #27

@dhensby dhensby closed this as completed Aug 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adrianhopebailie @dhensby