Sign auth HMAC over request bodies#207
Conversation
Require authenticated gRPC requests to bind the HMAC to both the timestamp and the request body. This prevents a valid header from being replayed with different request contents during the allowed timestamp window. Update the client and docs so callers generate signatures that match the new server contract.
|
👋 Thanks for assigning @tnull as a reviewer! |
| let bytes = match limited_body.collect().await { | ||
| Ok(collected) => collected.to_bytes(), | ||
| Err(_) => { | ||
| return Err(GrpcStatus::new( |
There was a problem hiding this comment.
maybe worthwhile logging instead of discarding the error?
There was a problem hiding this comment.
No, logging an error here pre-auth would introduce a potential DoS vector, as a malicious client could craft messages that fail to decode, hence spamming our logs.
| fn compute_hmac(api_key: &str, timestamp: u64, body: &[u8]) -> String { | ||
| compute_auth_hmac(api_key, timestamp, body).to_string() |
|
🔔 1st Reminder Hey @tnull! This PR has been waiting for your review. |
|
🔔 2nd Reminder Hey @tnull! This PR has been waiting for your review. |
| let bytes = match limited_body.collect().await { | ||
| Ok(collected) => collected.to_bytes(), | ||
| Err(_) => { | ||
| return Err(GrpcStatus::new( |
There was a problem hiding this comment.
No, logging an error here pre-auth would introduce a potential DoS vector, as a malicious client could craft messages that fail to decode, hence spamming our logs.
4 participants
Require authenticated gRPC requests to bind the HMAC to both the timestamp and the request body. This prevents a valid header from being replayed with different request contents during the allowed timestamp window.
Update the client and docs so callers generate signatures that match the new server contract.
Originally didn't do this to keep things simpler and we were exploring other auth options. Now that we've seemed to settle on this for now, may as well improve it.