Skip to content

feat: add optional Web Bot Authentication support#49

Merged
chaliy merged 2 commits intomainfrom
claude/add-bot-auth-support-Gemmz
Mar 26, 2026
Merged

feat: add optional Web Bot Authentication support#49
chaliy merged 2 commits intomainfrom
claude/add-bot-auth-support-Gemmz

Conversation

@chaliy
Copy link
Copy Markdown
Contributor

@chaliy chaliy commented Mar 26, 2026

What

Add optional support for the Web Bot Authentication Architecture (draft-meunier-web-bot-auth-architecture). When enabled via the bot-auth Cargo feature, outgoing HTTP requests are signed with Ed25519 per RFC 9421, adding Signature, Signature-Input, and optionally Signature-Agent headers so origins can cryptographically verify bot identity.

Why

User-Agent strings are trivially spoofable. The Web Bot Auth draft provides a cryptographic alternative where bots sign requests with asymmetric keys, letting origins verify identity without shared secrets. This is increasingly relevant as more websites adopt bot authentication policies.

How

  • New bot_auth module (crates/fetchkit/src/bot_auth.rs) with BotAuthConfig, Ed25519 signing, JWK thumbprint (RFC 7638), and nonce generation
  • Feature-gated behind bot-auth Cargo feature to avoid pulling crypto deps (ed25519-dalek, base64, sha2, rand) by default
  • Wired into FetchOptions, ToolBuilder, Tool, and DefaultFetcher via #[cfg(feature = "bot-auth")]
  • CLI flags: --bot-auth-key (base64url Ed25519 seed) and --bot-auth-agent (FQDN for Signature-Agent)
  • Graceful failure: signing errors are logged as warnings; requests proceed unsigned

Risk

  • Low
  • Feature is opt-in (Cargo feature + explicit config). No change to default behavior.
  • All new dependencies have permissive licenses (MIT/Apache-2.0/BSD-3-Clause)

Checklist

  • Unit tests passed (8 bot_auth unit tests + signature verification test)
  • Integration tests passed (2 wiremock tests verifying headers on the wire)
  • Full workspace tests pass with and without the feature (255+ tests)
  • Documentation updated (docs/security.md)
  • Specs added (specs/bot-auth.md)
  • Threat model updated (specs/threat-model.md — new TM-AUTH category)
  • Clippy clean, fmt clean, docs build without warnings
  • Release build smoke passes

chaliy added 2 commits March 26, 2026 04:53
@chaliy
feat: add optional Web Bot Authentication support
a704385 
Implement draft-meunier-web-bot-auth-architecture behind the `bot-auth`
Cargo feature. When enabled, outgoing HTTP requests are signed with
Ed25519 per RFC 9421, adding Signature, Signature-Input, and optionally
Signature-Agent headers so origins can cryptographically verify bot
identity.

Key additions:
- bot_auth module with BotAuthConfig, signing logic, JWK thumbprint
- Feature-gated integration into FetchOptions, ToolBuilder, DefaultFetcher
- CLI flags: --bot-auth-key and --bot-auth-agent
- Spec (specs/bot-auth.md), docs, and comprehensive tests
@chaliy
docs: add bot-auth threats to threat model
5c2f7f6 
Add TM-AUTH category covering key material handling, signature replay,
scope binding, weak seeds, and graceful failure. Update security
controls matrix and caller responsibilities.
@chaliy chaliy merged commit 3907cd5 into main Mar 26, 2026
10 checks passed
@chaliy chaliy deleted the claude/add-bot-auth-support-Gemmz branch March 26, 2026 12:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chaliy