GithubHelp home page GithubHelp logo

ynodir / httpsig Goto Github PK

View Code? Open in Web Editor NEW

This project forked from jbowes/httpsig

0.0 0.0 0.0 53 KB

HTTP Request Signing with ✨ STANDARDS ✨

License: BSD 3-Clause "New" or "Revised" License

Go 100.00%

httpsig's Introduction

httpsig

Standards-based HTTP request signing and verification for Go

Go Reference Alpha Quality Build Status BSD license codecov Go Report Card


Introduction

httpsig provides support for signing and verifying HTTP requests according to the HTTP Message Signatures draft standard. This standard focuses on signing headers and request paths, and you probably want to sign the request body too, so body digest calculation according to Digest Headers is included.

Signed HTTP requests are ideal for scenarios like sending webhooks, allowing recievers to securely verify the request came from your server, mitigate replay attacks, etc.

Contrary to the commonly-used x-hub-signature, The standards implemented by this package provide a signature of the entire request, including HTTP headers and the request path.

Usage

Signing HTTP Requests in Clients

To sign HTTP requests from a client, wrap an http.Client's transport with NewSignTransport:

client := http.Client{
	// Wrap the transport:
	Transport: httpsig.NewSignTransport(http.DefaultTransport,
		httpsig.WithSignEcdsaP256Sha256("key1", privKey)),
}

var buf bytes.Buffer

// construct body, etc
// ...

resp, err := client.Post("https://some-url.com", "application/json", &buf)
if err != nil {
	return
}
defer resp.Body.Close()

// ...

Verifying HTTP Requests in Servers

To verify HTTP requests on the server, wrap the http.Handlers you wish to protect with NewVerifyMiddleware. NewVerifyMiddleware returns the wrapping func, so you can reuse configuration across multiple handlers.

h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
	w.Header().Set("Content-Type", "text/plain")
	io.WriteString(w, "Your request has an valid signature!")
})

middleware := httpsig.NewVerifyMiddleware(httpsig.WithVerifyEcdsaP256Sha256("key1", pubkey))
http.Handle("/", middleware(h))

For more usage examples and documentation, see the godoc refernce

The Big Feature Matrix

This implementation is based on version 06 of HTTP Message Signatures (draft-ietf-htttpbis-message-signatures-05 from 8 June 2021). Digest computation is based on version 05 of Digest Headers (draft-ietf-httpbis-digest-headers-05 from 13 April 2021).

Feature Notes
sign requests
verify requests
sign responses
verify responses
add expires to signature sorely needed
enforce expires in verify
@method component
@authority component
@scheme component
@target-uri component
@request-target component Semantics changed in draft-06, no longer recommented for use.
@path component
@query component Encoding handling is missing.
@query-params component
@status component
request-response binding
Accept-Signature header
create multiple signatures
verify from multiple signatures
rsa-pss-sha512
rsa-v1_5-sha256
hmac-sha256
ecdsa-p256-sha256
custom signature formats eddsa is not part of the spec, so custom support here would be nice!
JSON Web Signatures JWS doesn't support any additional algs, but it is part of the spec
Signature-Input as trailer Trailers can be dropped. accept for verification only.
Signature as trailer Trailers can be dropped. accept for verification only.
request digests
response digests Tricky to support for signature use according to the spec
multiple digests
digest: sha-256
digest: sha-512
digest: md5 Deprecated in the spec. Unlikely to be supported.
digest: sha Deprecated in the spec. Unlikely to be supported.
digest: unixsum
digest: unixcksum
digest: id-sha-512
digest: id-sha-256 id-* digests are more resilient for content-encoding support
custom digest formats

Contributing

I would love your help!

httpsig is still a work in progress. You can help by:

  • Opening a pull request to resolve an open issue.
  • Adding a feature or enhancement of your own! If it might be big, please open an issue first so we can discuss it.
  • Improving this README or adding other documentation to httpsig.
  • Letting me know if you're using httpsig.

Links

httpsig's People

Contributors

jbowes avatar c-nyuldashev avatar dependabot[bot] avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.