http_signature 1.3.1 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bcc1de3b03efae4926bf2dcbd2b8b6ee628691b6aa1044fbefe59f76dadb3264
-  data.tar.gz: f86411fa7e90f74067e74e38dbdbd75ab377a47a9a9cbef3b87289298bff8baf
+  metadata.gz: 6e13e2dd019cbe8bc7359f1b49cfcd16bd3bb0e11818c7a4709a5892e7a9b362
+  data.tar.gz: 5879cc1525680c68286539b73d7091cdac20218727128af6e42cf2cff36e4c77
 SHA512:
-  metadata.gz: 69ce187ea87533cde9ad1978217f9852eeb12159a78dd37369ccdff76f92cfd2815f99953d623456f98fde87f2013749c7ddbe38ab35e40a5b74a9cf53abd320
-  data.tar.gz: 6f67d20c2ee63cfc2a5f97014d738ec0dcd39533bf7f84d405823dfdf3464edc42ec986c66fc6de92d0f293171882690d55b3fa19bb799c139e641ea13918ac2
+  metadata.gz: 69726bec8a75e3214a9d0c5b3f94f8d65e76c4c64746cc7ade2b11012f8d299d69ac33960f28feb486572702df2460f593cbcc04213f10bf42bd0706404763b8
+  data.tar.gz: e0c993df95150e6698faa87327a806262d7fd7f2141e70cae917dfa89f40ba018acbe721a4b7744b8a5af4ae3e3063fbe4427afbb35a562972de396a05d30acd

data/.github/dependabot.yml

@@ -0,0 +1,9 @@
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "bundler"
+    directory: "/"
+    schedule:
+      interval: "weekly"

data/AGENTS.md

@@ -18,4 +18,4 @@ Always run linters before commit
 - Update version number in lib/http_signature/version.rb
 - Run `bundle install`
 - Commit with message "Version x.x.x" and push
-- Create release on github with correct version tag
+- Create release on github with title "Version x.x.x", correct tag as "vx.x.x", e.g., v1.0.0, and auto generated notes

data/CLAUDE.md

@@ -0,0 +1 @@
+AGENTS.md

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    http_signature (1.3.1)
+    http_signature (1.4.0)
       base64
       starry (~> 0.2)
 
@@ -44,15 +44,26 @@ GEM
     concurrent-ruby (1.3.6)
     connection_pool (3.0.2)
     crass (1.0.6)
+    csv (3.3.5)
     docile (1.4.1)
     drb (2.2.3)
     erubi (1.13.1)
+    ethon (0.15.0)
+      ffi (>= 1.15.0)
+    excon (1.4.0)
+      logger
     faraday (2.14.1)
       faraday-net_http (>= 2.0, < 3.5)
       json
       logger
     faraday-net_http (3.4.2)
       net-http (~> 0.5)
+    ffi (1.17.3-arm64-darwin)
+    ffi (1.17.3-x86_64-linux-gnu)
+    httparty (0.24.2)
+      csv
+      mini_mime (>= 1.0.0)
+      multi_xml (>= 0.5.2)
     i18n (1.14.8)
       concurrent-ruby (~> 1.0)
     json (2.18.1)
@@ -62,8 +73,11 @@ GEM
     loofah (2.25.0)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
+    mini_mime (1.1.5)
     minitest (6.0.0)
       prism (~> 1.5)
+    multi_xml (0.8.1)
+      bigdecimal (>= 3.1, < 5)
     net-http (0.9.1)
       uri (>= 0.11.1)
     nokogiri (1.19.0-arm64-darwin)
@@ -71,10 +85,10 @@ GEM
     nokogiri (1.19.0-x86_64-linux-gnu)
       racc (~> 1.4)
     parallel (1.27.0)
-    parser (3.3.10.0)
+    parser (3.3.10.2)
       ast (~> 2.4.1)
       racc
-    prism (1.7.0)
+    prism (1.9.0)
     racc (1.8.1)
     rack (3.2.5)
     rack-session (2.1.1)
@@ -92,7 +106,7 @@ GEM
     rainbow (3.1.1)
     rake (13.3.1)
     regexp_parser (2.11.3)
-    rubocop (1.81.7)
+    rubocop (1.84.2)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -100,7 +114,7 @@ GEM
       parser (>= 3.3.0.2)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 2.9.3, < 3.0)
-      rubocop-ast (>= 1.47.1, < 2.0)
+      rubocop-ast (>= 1.49.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 4.0)
     rubocop-ast (1.49.0)
@@ -118,10 +132,10 @@ GEM
       simplecov_json_formatter (~> 0.1)
     simplecov-html (0.13.2)
     simplecov_json_formatter (0.1.4)
-    standard (1.52.0)
+    standard (1.54.0)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.0)
-      rubocop (~> 1.81.7)
+      rubocop (~> 1.84.0)
       standard-custom (~> 1.0.0)
       standard-performance (~> 1.8)
     standard-custom (1.0.2)
@@ -132,6 +146,8 @@ GEM
       rubocop-performance (~> 1.26.0)
     starry (0.2.0)
       base64
+    typhoeus (1.5.0)
+      ethon (>= 0.9.0, < 0.16.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
     unicode-display_width (3.2.0)
@@ -147,13 +163,16 @@ PLATFORMS
 DEPENDENCIES
   actionpack (>= 6.1)
   bundler
+  excon
   faraday (>= 2.7)
   http_signature!
+  httparty
   minitest (>= 5.24)
   rack
   rake
   simplecov
   standard
+  typhoeus
 
 BUNDLED WITH
   4.0.2

data/README.md

@@ -1,15 +1,12 @@
 # HTTP Signature
 
-Create and validate HTTP Message Signatures per [RFC 9421](https://www.rfc-editor.org/rfc/rfc9421) using the `Signature-Input` and `Signature` headers.
+A Ruby gem for signing and verifying HTTP requests. You pick which parts of the request to sign (method, URL, headers, body), and the receiver can verify nothing was tampered with — and that it came from someone who holds the key.
 
-TL;DR: You specify what should be signed in `Signature-Input` with [components](https://www.rfc-editor.org/rfc/rfc9421#name-derived-components) and lowercase headers. And then the signature is in the `Signature` header
+Built on [RFC 9421](https://www.rfc-editor.org/rfc/rfc9421) (HTTP Message Signatures). Works with HMAC, RSA, ECDSA, and Ed25519.
 
-Example:
+When using a standard to sign your HTTP requests you don't need to write a custom implementation every time. There's [loads of libraries](https://httpsig.org/) across languages that's implementing it!
 
-```
-Signature-Input: sig1=("@method" "@target-uri" "date");created=1767816111;keyid="Test";alg="hmac-sha256"
-Signature: sig1=:7a1ajkE2rOu+gnW3WLZ4ZEcgCm3TfExmypM/giIgdM0=:
-```
+Use your favorite http clients to sign requests and your favorite frameworks to verify them, see [Outgoing request examples](#outgoing-request-examples) and [Incoming request examples](#incoming-request-examples)
 
 ## Installation
 
@@ -21,22 +18,29 @@ bundle add http_signature
 
 ### Create signature
 
-`HTTPSignature.create` returns both `Signature-Input` and `Signature` headers that you can include in your request.
+`HTTPSignature.create` returns `Signature-Input`, `Signature` and `Content-Digest` headers that you can include in your request.
 
-```ruby
-headers = { "date" => "Tue, 20 Apr 2021 02:07:55 GMT" }
+This example will sign:
+- The whole `url` string: `https://example.com/foo?pet=dog`
+- The HTTP method: `POST`
+- The headers `Content-Type` and `Content-Digest`
+- The body, which is in the `Content-Digest` header and is automatically generated when a body is provided
 
-sig_headers = HTTPSignature.create(
+```ruby
+HTTPSignature.create(
   url: "https://example.com/foo?pet=dog",
-  method: :get,
-  key_id: "Test",
+  method: :post,
+  key_id: "key-1",
   key: "secret",
-  headers: headers,
-  components: %w[@method @target-uri date]
+  headers: {"Content-Type" => "application/json"},
+  body: {payload: {foo: "bar"}}.to_json,
+  components: %w[@method @target-uri content-type content-digest]
 )
-
-request["Signature-Input"] = sig_headers["Signature-Input"]
-request["Signature"] = sig_headers["Signature"]
+# =>
+# {"Signature-Input" =>
+#   "sig1=(\"@method\" \"@target-uri\" \"content-type\" \"content-digest\");created=1772541832;keyid=\"key-1\";alg=\"hmac-sha256\"",
+#  "Signature" => "sig1=:5ij6rnnwS9oOtu78zU4yBFy9uL3ItXM7ug368cJZuTU=:",
+#  "Content-Digest" => "sha-256=:zWToMIpmVcAx10/ZGOrMzi7HQyUBat/TskigQnncEQ8=:"}
 ```
 #### All options
 
@@ -254,37 +258,35 @@ end
 
 ## Outgoing request examples
 
-### NET::HTTP
+### Net::HTTP
 
 ```ruby
 require "net/http"
 require "http_signature"
 
 uri = URI("http://example.com/hello")
+body = {name: "World"}.to_json
+headers = {"Content-Type" => "application/json"}
 
-Net::HTTP.start(uri.host, uri.port) do |http|
-  request = Net::HTTP::Get.new(uri)
-
-  sig_headers = HTTPSignature.create(
-    url: request.uri,
-    method: request.method,
-    headers: request.each_header.map { |k, v| [k, v] }.to_h,
-    key: "MYSECRETKEY",
-    key_id: "KEY_1",
-    algorithm: "hmac-sha256",
-    body: request.body || ""
-  )
+sig_headers = HTTPSignature.create(
+  url: uri.to_s,
+  method: :post,
+  headers:,
+  key: "MYSECRETKEY",
+  key_id: "KEY_1",
+  body:
+)
 
-  request["Signature-Input"] = sig_headers["Signature-Input"]
-  request["Signature"] = sig_headers["Signature"]
+req = Net::HTTP::Post.new(uri)
+headers.merge(sig_headers).each { |k, v| req[k] = v }
+req.body = body
 
-  response = http.request(request) # Net::HTTPResponse
-end
+Net::HTTP.start(uri.host, uri.port) { |http| http.request(req) }
 ```
 
 ### Faraday
 
-As a faraday middleware
+As a Faraday middleware
 
 ```ruby
 require "http_signature/faraday"
@@ -292,17 +294,96 @@ require "http_signature/faraday"
 HTTPSignature::Faraday.key = "secret"
 HTTPSignature::Faraday.key_id = "key-1"
 
-Faraday.new("http://example.com") do |faraday|
-  faraday.use(HTTPSignature::Faraday)
-  faraday.adapter(Faraday.default_adapter)
+conn = Faraday.new("http://example.com") do |f|
+  f.use(HTTPSignature::Faraday)
+end
+
+# Requests will automatically include Signature-Input, Signature, and Content-Digest headers
+conn.post("/hello") do |req|
+  req.headers["Content-Type"] = "application/json"
+  req.body = {name: "World"}.to_json
+end
+```
+
+Example with setting params per request:
+
+```ruby
+conn = Faraday.new("http://example.com") do |f|
+  f.use(
+    HTTPSignature::Faraday,
+    key: "secret",
+    key_id: "key-1",
+    components: ["@method", "@target-uri", "content-type", "content-digest"]
+  )
 end
+```
+
+The middleware also accepts the params: `created:`, `expires:`, `nonce:`, `label:`, `algorithm:`, and `include_alg:`.
 
-# Now this request will contain the `Signature-Input` and `Signature` headers
-response = conn.get("/")
+### HTTParty
+
+```ruby
+require "httparty"
+require "http_signature"
+
+url = "http://example.com/hello"
+body = {name: "World"}.to_json
+headers = {"Content-Type" => "application/json"}
+
+sig_headers = HTTPSignature.create(
+  url:,
+  method: "POST",
+  headers:,
+  key: "MYSECRETKEY",
+  key_id: "KEY_1",
+  body:
+)
+
+HTTParty.post(url, body:, headers: headers.merge(sig_headers))
+```
+
+### Excon
+
+```ruby
+require "excon"
+require "http_signature"
+
+url = "http://example.com/hello"
+body = {name: "World"}.to_json
+headers = {"Content-Type" => "application/json"}
+
+sig_headers = HTTPSignature.create(
+  url:,
+  method: "POST",
+  headers:,
+  key: "MYSECRETKEY",
+  key_id: "KEY_1",
+  body:
+)
+
+Excon.post(url, headers: headers.merge(sig_headers), body:)
+```
+
+### Typhoeus
+
+```ruby
+require "typhoeus"
+require "http_signature"
+
+url = "http://example.com/hello"
+body = {name: "World"}.to_json
+headers = {"Content-Type" => "application/json"}
+
+sig_headers = HTTPSignature.create(
+  url:,
+  method: "POST",
+  headers:,
+  key: "MYSECRETKEY",
+  key_id: "KEY_1",
+  body:
+)
 
-# Request looking like:
-# Signature-Input: sig1=("@method" "@authority" "@target-uri" "date");created=...
-# Signature: sig1=:BASE64_SIGNATURE:
+Typhoeus.post(url, body:, headers: headers.merge(sig_headers))
 ```
 
 ## Incoming request examples

data/http_signature.gemspec

@@ -28,6 +28,9 @@ Gem::Specification.new do |spec|
   spec.add_development_dependency "standard"
   spec.add_development_dependency "simplecov"
   spec.add_development_dependency "actionpack", ">= 6.1"
+  spec.add_development_dependency "httparty"
+  spec.add_development_dependency "excon"
+  spec.add_development_dependency "typhoeus"
 
   spec.add_dependency "base64"
   spec.add_dependency "starry", "~> 0.2"

data/lib/http_signature/faraday.rb

@@ -8,8 +8,16 @@ class HTTPSignature::Faraday < Faraday::Middleware
     attr_accessor :key, :key_id
   end
 
+  def initialize(app, options = nil)
+    super(app)
+    @options = options || {}
+  end
+
   def call(env)
-    raise "key and key_id needs to be set" if self.class.key.nil? || self.class.key_id.nil?
+    options = merged_options(env)
+    key = options.fetch(:key, self.class.key)
+    key_id = options.fetch(:key_id, self.class.key_id)
+    raise "key and key_id needs to be set" if key.nil? || key_id.nil?
 
     body =
       if env[:body]&.respond_to?(:read)
@@ -20,19 +28,7 @@ class HTTPSignature::Faraday < Faraday::Middleware
         env[:body].to_s
       end
 
-    # Choose which headers to sign
-    filtered_headers = %w[Host Date Content-Digest]
-    headers_to_sign = env[:request_headers].select { |k, _v| filtered_headers.include?(k.to_s) }
-
-    signature_headers = HTTPSignature.create(
-      url: env[:url],
-      method: env[:method],
-      headers: headers_to_sign,
-      key: self.class.key,
-      key_id: self.class.key_id,
-      algorithm: "hmac-sha256",
-      body: body
-    )
+    signature_headers = HTTPSignature.create(**signature_options(env:, key:, key_id:, body:, options:))
 
     signature_headers.each do |header, value|
       env[:request_headers][header] = value
@@ -40,4 +36,32 @@ class HTTPSignature::Faraday < Faraday::Middleware
 
     @app.call(env)
   end
+
+  private
+
+  def merged_options(env)
+    request_options = env.request.context&.dig(:http_signature) || {}
+    @options.merge(request_options)
+  end
+
+  def signature_options(env:, key:, key_id:, body:, options:)
+    {
+      url: env[:url],
+      method: env[:method],
+      headers: env[:request_headers],
+      key:,
+      key_id:,
+      body:,
+      **create_options(options)
+    }.tap do |signature_options|
+      if options.key?(:components) && !options[:components].nil?
+        signature_options[:components] = options[:components]
+      end
+    end
+  end
+
+  def create_options(options)
+    options.slice(:created, :expires, :nonce, :label, :include_alg, :algorithm)
+      .reject { |_key, value| value.nil? }
+  end
 end

data/lib/http_signature/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module HTTPSignature
-  VERSION = "1.3.1"
+  VERSION = "1.4.0"
 end

data/lib/http_signature.rb

@@ -108,6 +108,8 @@ module HTTPSignature
 
     validate_components!(components)
 
+    had_content_digest = normalized_headers.key?("content-digest")
+
     normalized_headers =
       if components.include?("content-digest")
         ensure_content_digest(normalized_headers, body)
@@ -140,10 +142,16 @@ module HTTPSignature
     signature_bytes = sign(base_string, key: key, algorithm: algorithm_entry)
     signature_header = build_signature_header(label, signature_bytes)
 
-    {
+    result = {
       "Signature-Input" => signature_input_header,
       "Signature" => signature_header
     }
+
+    if !had_content_digest && normalized_headers["content-digest"]
+      result["Content-Digest"] = normalized_headers["content-digest"]
+    end
+
+    result
   end
 
   # Verify RFC 9421 Signature headers
@@ -154,7 +162,8 @@ module HTTPSignature
   # @param body [String] Request body (default: "")
   # @param key [String, OpenSSL::PKey::PKey, nil] Verification key. If nil, uses key_resolver or configured keys
   # @param key_resolver [Proc, nil] Callable that receives key_id and returns the key (default: nil)
-  # @param label [String] Signature label to verify (default: "sig1")
+  # @param label [String, nil] Signature label to verify. If nil, auto-detects
+  #   the first label from the Signature-Input header (default: nil)
   # @param query_string_params [Hash] Additional query params to merge into URL (default: {})
   # @param max_age [Integer, nil] Maximum signature age in seconds. Takes precedence over
   #   the expires timestamp in the signature (default: nil)
@@ -174,7 +183,7 @@ module HTTPSignature
     body: "",
     key: nil,
     key_resolver: nil,
-    label: DEFAULT_LABEL,
+    label: nil,
     query_string_params: {},
     max_age: nil,
     algorithm: nil,
@@ -191,6 +200,8 @@ module HTTPSignature
     signature_header = normalized_headers["signature"]
     raise SignatureError, "Signature headers are required for verification" unless signature_input_header && signature_header
 
+    label ||= detect_label(signature_input_header)
+
     parsed_input = parse_signature_input(signature_input_header, label)
     validate_components!(parsed_input[:components])
     parsed_signature = parse_signature(signature_header, label)
@@ -624,6 +635,16 @@ module HTTPSignature
     header.to_s.split(/,(?=[^,]+=)/).map(&:strip)
   end
 
+  def self.detect_label(signature_input_header)
+    entry = split_header(signature_input_header).first
+    raise SignatureError, "Signature-Input missing" unless entry
+
+    label = entry.split("=", 2).first
+    raise SignatureError, "Signature-Input missing" if label.nil? || label.empty?
+
+    label
+  end
+
   def self.key_from_store(key_id)
     return unless keys && key_id
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: http_signature
 version: !ruby/object:Gem::Version
-  version: 1.3.1
+  version: 1.4.0
 platform: ruby
 authors:
 - Joel Larsson
@@ -121,6 +121,48 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '6.1'
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: excon
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: typhoeus
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: base64
   requirement: !ruby/object:Gem::Requirement
@@ -156,12 +198,14 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/dependabot.yml"
 - ".github/workflows/ci.yml"
 - ".github/workflows/push_gem.yml"
 - ".github/workflows/standardrb.yml"
 - ".gitignore"
 - ".ruby-version"
 - AGENTS.md
+- CLAUDE.md
 - Gemfile
 - Gemfile.lock
 - README.md