http_signature 0.1.0 → 1.0.1

data/lib/http_signature/faraday.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-require 'http_signature'
-require 'faraday'
+require "http_signature"
+require "faraday"
 
 class HTTPSignature::Faraday < Faraday::Middleware
   class << self
@@ -9,10 +9,10 @@ class HTTPSignature::Faraday < Faraday::Middleware
   end
 
   def call(env)
-    raise 'key and key_id needs to be set' if self.class.key.nil? || self.class.key_id.nil?
+    raise "key and key_id needs to be set" if self.class.key.nil? || self.class.key_id.nil?
 
     body =
-      if env[:body] && env[:body].respond_to?(:read)
+      if env[:body]&.respond_to?(:read)
         string = env[:body].read
         env[:body].rewind
         string
@@ -21,20 +21,22 @@ class HTTPSignature::Faraday < Faraday::Middleware
       end
 
     # Choose which headers to sign
-    filtered_headers = %w[Host Date Digest]
+    filtered_headers = %w[Host Date Content-Digest]
     headers_to_sign = env[:request_headers].select { |k, _v| filtered_headers.include?(k.to_s) }
 
-    signature = HTTPSignature.create(
+    signature_headers = HTTPSignature.create(
       url: env[:url],
       method: env[:method],
       headers: headers_to_sign,
       key: self.class.key,
       key_id: self.class.key_id,
-      algorithm: 'hmac-sha256',
+      algorithm: "hmac-sha256",
       body: body
     )
 
-    env[:request_headers]['Signature'] = signature
+    signature_headers.each do |header, value|
+      env[:request_headers][header] = value
+    end
 
     @app.call(env)
   end

data/lib/http_signature/rack.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
-require 'http_signature'
+require "http_signature"
+require "rack"
 
 # Rack middleware using http-signature gem to validate signature on every incoming request
 class HTTPSignature::Rack
@@ -14,46 +15,38 @@ class HTTPSignature::Rack
   end
 
   def call(env)
-    request = Rack::Request.new(env)
+    request = ::Rack::Request.new(env)
 
     return @app.call(env) if path_excluded?(request.path)
 
-    return [401, {}, ['No signature header']] unless request.get_header("HTTP_SIGNATURE")
+    request_headers = parse_request_headers(request)
+    signature_input_header = request_headers["signature-input"]
+    signature_header = request_headers["signature"]
+    return [401, {}, ["No signature header"]] unless signature_input_header && signature_header
 
     begin
-      request_body = request.body.read
-      request_headers = parse_request_headers(request)
-      parsed_signature = parse_signature(request_headers)
-      key = HTTPSignature.key(parsed_signature['keyId'])
-    rescue
-      return [401, {}, ['Invalid signature :(']]
+      request_body =
+        if request.body
+          body_content = request.body.read
+          request.body.rewind if request.body.respond_to?(:rewind)
+          body_content
+        else
+          ""
+        end
+      valid_signature = HTTPSignature.valid?(
+        url: request.url,
+        method: request.request_method,
+        headers: request_headers,
+        body: request_body || "",
+        key_resolver: ->(key_id) { HTTPSignature.key(key_id) }
+      )
+    rescue HTTPSignature::SignatureError
+      return [401, {}, ["Invalid signature"]]
     end
 
-    headers_to_sign = request_headers.select { |k, v| parsed_signature['headers'].include?(k) }
+    return [401, {}, ["Invalid signature"]] unless valid_signature
 
-    params = {
-      url: request.path,
-      method: request.request_method,
-      headers: headers_to_sign,
-      key: key,
-      key_id: parsed_signature['keyId'],
-      algorithm: parsed_signature['algorithm'],
-      body: request_body ? request_body : '',
-      query_string_params: Rack::Utils.parse_nested_query(request.query_string)
-    }
-
-    valid_signature =
-      if parsed_signature['algorithm'].include?('rsa')
-        HTTPSignature.valid?(**params)
-      else
-        HTTPSignature.create(**params) == request_headers['signature']
-      end
-
-    if valid_signature
-      @app.call(env)
-    else
-      [401, {}, ['Invalid signature :(']]
-    end
+    @app.call(env)
   end
 
   private
@@ -62,27 +55,17 @@ class HTTPSignature::Rack
     request_headers = {}
 
     request.each_header do |header|
-      if header[0].include?('HTTP_') && header[0] != 'HTTP_VERSION'
-        request_headers[header[0].gsub('HTTP_', '').gsub("_", "-").downcase] = header[1]
+      if header[0].include?("HTTP_") && header[0] != "HTTP_VERSION"
+        request_headers[header[0].gsub("HTTP_", "").tr("_", "-").downcase] = header[1]
       end
     end
 
     request_headers
   end
 
-  def parse_signature(request_headers)
-    Rack::Utils.parse_nested_query(
-      request_headers['signature'].gsub(',', '&')
-    ).map do |k, v|
-      [k, v.tr('"', '')]
-    end.to_h
-  end
-
   def path_excluded?(path)
-    matches = self.class.exclude_paths.map do |exclude_path|
-      path.match(exclude_path).present?
+    self.class.exclude_paths.any? do |exclude_path|
+      !!path.match(exclude_path)
     end
-
-    matches.select { |v| v == true }.length.positive?
   end
 end

data/lib/http_signature/rails.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require "http_signature"
+require "action_controller"
+
+module HTTPSignature
+  module Rails
+    module Controller
+      extend ActiveSupport::Concern
+
+      private
+
+      # Use as a Rails before_action to enforce HTTP Message Signatures on an action.
+      def verify_http_signature!
+        request_headers = normalized_request_headers
+        signature_input_header = request_headers["signature-input"]
+        signature_header = request_headers["signature"]
+
+        return render status: :unauthorized, plain: "No signature header" unless signature_input_header && signature_header
+
+        request_body = read_request_body
+
+        valid_signature = HTTPSignature.valid?(
+          url: request.url,
+          method: request.request_method,
+          headers: request_headers,
+          body: request_body || "",
+          key_resolver: ->(key_id) { HTTPSignature.key(key_id) }
+        )
+
+        return if valid_signature
+
+        render status: :unauthorized, plain: "Invalid signature"
+      rescue HTTPSignature::SignatureError, ArgumentError
+        render status: :unauthorized, plain: "Invalid signature"
+      end
+
+      def normalized_request_headers
+        headers = {}
+
+        request.each_header do |key, value|
+          next unless key.start_with?("HTTP_")
+          next if key == "HTTP_VERSION"
+
+          canonical_key = key.sub("HTTP_", "").tr("_", "-").downcase
+          headers[canonical_key] = value
+        end
+
+        %w[CONTENT_TYPE CONTENT_LENGTH].each do |env_key|
+          next unless (value = request.get_header(env_key))
+
+          headers[env_key.downcase.tr("_", "-")] = value
+        end
+
+        headers
+      end
+
+      def read_request_body
+        return "" unless request.body
+
+        body_content = request.body.read
+        request.body.rewind if request.body.respond_to?(:rewind)
+        body_content
+      end
+    end
+  end
+end

data/lib/http_signature/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module HTTPSignature
-  VERSION = '0.1.0'
+  VERSION = "1.0.1"
 end