Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[feature] Try HTTP signature validation with and without query params for incoming requests #2591

Merged
merged 3 commits into from
Jan 31, 2024
Merged

[feature] Try HTTP signature validation with and without query params for incoming requests #2591

merged 3 commits into from
Jan 31, 2024

Conversation

tsmethurst
Copy link
Contributor

Description

If this is a code change, please include a summary of what you've coded, and link to the issue(s) it closes/implements.

If this is a documentation change, please briefly describe what you've changed and why.

This pull request addresses the first part of #894 by implementing code to fall back to excluding query params when validating incoming HTTP signatures. The "default" first-attempt behavior (including query params when reassembling signature strings) remains the same.

Checklist

Please put an x inside each checkbox to indicate that you've read and followed it: [ ] -> [x]

If this is a documentation change, only the first checkbox must be filled (you can delete the others if you want).

  • I/we have read the GoToSocial contribution guidelines.
  • I/we have discussed the proposed changes already, either in an issue on the repository, or in the Matrix chat.
  • I/we have performed a self-review of added code.
  • I/we have written code that is legible and maintainable by others.
  • I/we have commented the added code, particularly in hard-to-understand areas.
  • I/we have made any necessary changes to documentation.
  • I/we have added tests that cover new code.
  • I/we have run tests and they pass locally with the changes.
  • I/we have run go fmt ./... and golangci-lint run.

@daenney
Copy link
Member

daenney commented Jan 31, 2024

The one thing maybe worth considering here is caching which of the two verify schemes worked for a domain, so we don't always have to try both for a particular domain if it happens to want the second scheme.

@NyaaaWhatsUpDoc NyaaaWhatsUpDoc merged commit b614d33 into main Jan 31, 2024
2 checks passed
@NyaaaWhatsUpDoc NyaaaWhatsUpDoc deleted the http_sig_try_both_types branch January 31, 2024 14:15
@NyaaaWhatsUpDoc
Copy link
Member

NyaaaWhatsUpDoc commented Jan 31, 2024
edited
Loading

The one thing maybe worth considering here is caching which of the two verify schemes worked for a domain, so we don't always have to try both for a particular domain if it happens to want the second scheme.

have squerged for now as i think compared to the other side of attempting both times of httpsigs this is less of a priority, at least re: tobi being able to get on with the other Move work. though definitely a low-hanging fruit performance gain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daenney daenney daenney approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@tsmethurst @daenney @NyaaaWhatsUpDoc