Use secret key for token middleware signatures

[gocanto]

Summary

• sign canonical request using secret key
• update tests to sign requests with secret key

Testing

• go test ./... -count=1

---

https://chatgpt.com/codex/tasks/task_e_68baab767e7083338f0d513251f1e73e

Summary by CodeRabbit

• New Features
  • None
• Bug Fixes
  • Corrected request signature verification to use the proper secret, improving authentication accuracy and security. No client-facing API changes; ensure requests are signed with the account’s secret.
• Tests
  • Updated tests to validate secret-based signing and scenarios including key mismatch, signature tampering, nonce replay, and rate limiting.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Token middleware verification switches local signature computation to use token.SecretKey. Corresponding tests now sign requests with seed.SecretKey instead of seed.PublicKey. Test helper parameters and calls are updated to reflect secret-based signing. No public APIs changed.

Changes

Cohort / File(s)	Summary of Changes
Middleware signature key update pkg/middleware/token_middleware.go	Compute local signature with token.SecretKey (was token.PublicKey); updated inline comment. Other logic unchanged.
Test helper and primary tests updated to sign with secret pkg/middleware/token_middleware_test.go	Helper makeSignedRequest now accepts secret and uses it to compute X-API-Signature. All call sites updated from seed.PublicKey to seed.SecretKey.
Additional tests aligned to secret-based signing pkg/middleware/token_middleware_additional_test.go	Test cases now sign with seed.SecretKey. Public key remains in params where mismatch is intended. Minor indentation changes only.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Client
  participant M as TokenMiddleware
  participant S as SignatureVerifier

  C->>M: HTTP request with headers<br/>X-API-Key, X-API-Nonce, X-API-Signature
  M->>M: Canonicalize request
  M->>S: Compute local HMAC using token.SecretKey
  S-->>M: localSignature
  M->>M: Constant-time compare(localSignature, headerSignature)
  alt Signature valid and nonce fresh
    M-->>C: Forward to next handler
  else Signature invalid or nonce replay
    M-->>C: 401/403 error response
  end

  note over M,S: Change: use SecretKey for local signature computation

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore: CLI tests + auth schema constants #80: Reverts prior test changes to sign with the account secret key; touches the same test helpers updated here.
• chore: better token middleware + format #77: Modifies token middleware signing/verification logic in the same area as this change.

Poem

A whisk of keys, a secret kept tight,
I hop through headers by moonlit night.
Nonces fresh, signatures true,
Public to secret—now rightly we do.
Thump-thump, approved, the gateway sings—
Onward I bound, with trusted wings. 🐇✨

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d4f46b2 and dd2bec4.

📒 Files selected for processing (3)

• pkg/middleware/token_middleware.go (1 hunks)
• pkg/middleware/token_middleware_additional_test.go (4 hunks)
• pkg/middleware/token_middleware_test.go (6 hunks)

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch codex/fix-tests-in-pull-request-83

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[gemini-code-assist]

Summary of Changes

Hello @gocanto, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a critical security enhancement by modifying the token authentication middleware to use a secret key for generating and verifying request signatures. Previously, the public key was mistakenly used for this purpose. The change ensures that the integrity of incoming requests is validated against a private credential, significantly strengthening the authentication mechanism. The accompanying test updates validate this new secure behavior.

Highlights

• Security Enhancement: The token middleware now correctly uses the SecretKey instead of the PublicKey to compute the local signature for canonical requests, significantly improving the security of token validation.
• Test Suite Update: All relevant test cases across token_middleware_additional_test.go and token_middleware_test.go have been updated to reflect this change, ensuring that requests are signed with the SecretKey in tests.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request correctly addresses a critical security vulnerability by using the secret key for signing and verifying API requests, instead of the public key. The change is implemented correctly in the middleware, and all associated tests have been updated to reflect this new logic. I've included a few minor comments regarding code formatting to ensure consistency with Go standards.

[gemini-code-assist]

The indentation for these new lines appears to be using spaces instead of tabs. The standard Go format (gofmt) uses tabs for indentation. Please run gofmt on the file to fix the formatting for consistency.

Suggested change

	// Compute local signature over canonical request using the account's secret key
	// and compare in constant time (hash to fixed-length first)
	localSignature := auth.CreateSignatureFrom(canonical, token.SecretKey)
	// Compute local signature over canonical request using the account's secret key
	// and compare in constant time (hash to fixed-length first)
	localSignature := auth.CreateSignatureFrom(canonical, token.SecretKey)

[gemini-code-assist]

This line is indented with spaces instead of tabs. Please run gofmt on this file to ensure consistent formatting with the rest of the codebase. This issue is present on other new lines in this file as well.

Suggested change

	req := makeSignedRequest(t, http.MethodGet, "https://api.test.local/v1/x", "", seed.AccountName, "wrong-"+seed.PublicKey, seed.SecretKey, time.Now(), "nonce-mm", "req-mm")
	req := makeSignedRequest(t, http.MethodGet, "https://api.test.local/v1/x", "", seed.AccountName, "wrong-"+seed.PublicKey, seed.SecretKey, time.Now(), "nonce-mm", "req-mm")

[gemini-code-assist]

These lines are indented with spaces instead of tabs. Please run gofmt on this file to ensure consistent formatting. This issue appears on other new lines in this file as well.

Suggested change

	canonical := portal.BuildCanonical(method, req.URL, account, public, req.Header.Get("X-API-Timestamp"), nonce, bodyHash)
	sig := auth.CreateSignatureFrom(canonical, secret)
	canonical := portal.BuildCanonical(method, req.URL, account, public, req.Header.Get("X-API-Timestamp"), nonce, bodyHash)
	sig := auth.CreateSignatureFrom(canonical, secret)