Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(auth): validate content-digest header #777

Merged
merged 4 commits into from
Nov 29, 2022
Merged

feat(auth): validate content-digest header #777

merged 4 commits into from
Nov 29, 2022

Conversation

njlie
Copy link
Contributor

@njlie njlie commented Nov 22, 2022
edited
Loading

Changes proposed in this pull request

  • Adds Content-Digest generation to open-payments
  • Adds Content-Digest verification to auth

Context

Checklist

  • Related issues linked using fixes #number
  • Tests added/updated
  • Documentation added
  • Make sure that all checks pass

@github-actions github-actions bot added pkg: auth Changes in the GNAP auth package. pkg: open-payments type: source Changes business logic type: tests Testing related labels Nov 22, 2022
mkurapov
mkurapov reviewed Nov 23, 2022
View reviewed changes
Copy link
Contributor

@mkurapov mkurapov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

few comments

packages/open-payments/src/client/requests.ts Outdated
Comment on lines 154 to 155
runWhen: (config) =>
config.method === 'post' || !!config.headers['Authorization']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could maybe just be a separate interceptor to avoid the OR?

Additionally, maybe config.method.toLower/UpperCase() to be safe?

packages/auth/src/signature/middleware.ts Outdated
(!sigInputComponents.includes('content-digest') ||
!verifyContentDigest(
JSON.stringify(ctx.request.body),
ctx.headers['content-digest'] as string
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

would probably err on the side of caution and check !!ctx.headers['content-digest'], verifyContentDigest might end up throwing an error that could bubble up in a weird way

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be good to pull out

(ctx.request.body &&
      Object.keys(ctx.request.body).length > 0 &&
      (!sigInputComponents.includes('content-digest') ||
        !verifyContentDigest(
          JSON.stringify(ctx.request.body),
          ctx.headers['content-digest'] as string
        )))

into its own fn/var

packages/auth/package.json
@@ -21,6 +21,7 @@
"@koa/router": "^12.0.0",
"ajv": "^8.11.0",
"axios": "^0.27.2",
"httpbis-digest-headers": "github:interledger/httpbis-digest-headers",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how does this install work?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://pnpm.io/cli/add#install-from-git-repository
I don't think https://github.com/interledger/httpbis-digest-headers has been published to npm yet

@wilsonianb wilsonianb mentioned this pull request Nov 23, 2022
Merged
4 tasks
@njlie njlie force-pushed the nl-content-digest-validation branch from 6c138b0 to 1c9b3ab Compare November 28, 2022 20:49
@njlie njlie force-pushed the nl-content-digest-validation branch from 1c9b3ab to f60a2e2 Compare November 28, 2022 20:50
@njlie njlie requested review from wilsonianb and mkurapov November 28, 2022 21:10
wilsonianb
wilsonianb reviewed Nov 28, 2022
View reviewed changes
packages/open-payments/src/client/requests.ts Outdated
Comment on lines 153 to 160
axiosInstance.interceptors.request.use(interceptor, null, {
runWhen: (config) =>
config.method.toLowerCase() === 'post' ||
!!config.headers['Authorization']
})
axiosInstance.interceptors.request.use(interceptor, null, {
runWhen: (config) => !!config.headers['Authorization']
})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the interceptor would be run twice for POST requests with Authorization
https://github.com/axios/axios#multiple-interceptors

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds like we should just keep using one interceptor then

@njlie njlie requested a review from wilsonianb November 28, 2022 23:34
@njlie njlie merged commit a5c36d7 into main Nov 29, 2022
@njlie njlie deleted the nl-content-digest-validation branch November 29, 2022 19:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wilsonianb wilsonianb wilsonianb approved these changes

@sabineschaller sabineschaller Awaiting requested review from sabineschaller

@dclipp dclipp Awaiting requested review from dclipp

@mkurapov mkurapov Awaiting requested review from mkurapov

Assignees
No one assigned
Labels
pkg: auth Changes in the GNAP auth package. type: source Changes business logic type: tests Testing related
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Generate content-digest header Add content-digest verification to httpsig verification.
3 participants
@njlie @wilsonianb @mkurapov