Skip to content

fix(CBP-44874): Fix: Signature verification error with CBP/Unify API keys#52

Merged
ankurv02 merged 2 commits into
masterfrom
CBP-44874
May 12, 2026
Merged

fix(CBP-44874): Fix: Signature verification error with CBP/Unify API keys#52
ankurv02 merged 2 commits into
masterfrom
CBP-44874

Conversation

@ankurv02
Copy link
Copy Markdown
Contributor

@ankurv02 ankurv02 commented May 12, 2026
edited by cloudbees-issuebot Bot
Loading

image CBP-44874: [rox-php] fails with "Failed to validate signature" error when using CBP/Unify API keys with custom RoxOptions

Customers using CloudBees Platform (Unify) UUID-format API keys experienced 'Failed to validate signature' errors when providing custom RoxOptions, because the backend doesn't send signature_v0 field.

Root Causes:

  • Null pointer when accessing roxOptions without null check
  • CBP key auto-detection only worked without custom options
  • Unsafe array access to signature_v0 field

Solution:

  • Added null-safe check for roxOptions in ConfigurationParser
  • Auto-detect CBP keys at verification time (check API key format)
  • Added null coalescing for safe array access
  • Removed redundant setup-time CBP detection from Rox.php

@ankurv02 ankurv02 requested review from a team, AsafRollout and markawm May 12, 2026 07:10
markawm
markawm approved these changes May 12, 2026
View reviewed changes
Copy link
Copy Markdown

@markawm markawm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[I don't know PHP at all, so high level review only!]

This works fine, but IIRC the general pattern in SDKs is to simply set the signature verification in RoxOptions, which avoids needing the SDK key as much. Looks like that was how it was working originally, but only if a RoxOptions was actually provided; don't we need to just always have a RoxOptions and set the signature verification in it (for a Unify SDK key)?

@ankurv02
Copy link
Copy Markdown
Contributor Author

ankurv02 commented May 12, 2026

This works fine, but IIRC the general pattern in SDKs is to simply set the signature verification in RoxOptions, which avoids needing the SDK key as much. Looks like that was how it was working originally, but only if a RoxOptions was actually provided; don't we need to just always have a RoxOptions and set the signature verification in it (for a Unify SDK key)?

other SDKs works because their options objects are mutable (can set properties directly). PHP's RoxOptions is immutable. so if we want to do then we need to use reflection like -

if (ApiKeyHelpers::isCBPApiKey($apiKey) &&
  !$roxOptions->isSignatureDisabled()) {
      $reflection = new \ReflectionClass($roxOptions);
      $property = $reflection->getProperty('_disableSignatureVerification');
      $property->setAccessible(true);
      $property->setValue($roxOptions, true);  // Force mutate
  }

Instead of using reflection (which feels hacky in PHP), I thought it's cleaner to check the API key directly when we actually need to verify the signature. wdyt?

@ankurv02 ankurv02 merged commit 217e062 into master May 12, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@markawm markawm markawm approved these changes

@AsafRollout AsafRollout Awaiting requested review from AsafRollout

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ankurv02 @markawm