Add /v0/api/verify #57
Conversation
It allows to get a shorthand to validate a signature, instead of parsing the HTML page that is targetted at browsers. In addition, this commit adds support to read signature-agent
| `${parsed}${HTTP_MESSAGE_SIGNATURES_DIRECTORY}` | ||
| ).then((r) => r.json()); | ||
| } else { | ||
| directory = await getDirectory(); |
There was a problem hiding this comment.
nit: I would rename getDirectory() to getExampleDirectory() or similar and the import jwk from ... on the top to import exampleJwk from
| console.error( | ||
| `Failed to validate Signature-Agent header: ${signatureAgent}` | ||
| ); | ||
| return SignatureValidationStatus.INVALID; |
There was a problem hiding this comment.
I don't know how much you want to get into such error reporting but it would be very helpful for debugging to return the reason of the failure back in the response body. Essentially printing out the message of the exception if something fails.
There was a problem hiding this comment.
i've updated the code so that it returns invalid: <error.message>, when a message is present. validation is very much "does it succeed". it could be refined to provide clearer error message
note that you should be able to run the code locally with npm run dev
|
Thank you @thibmeu for the quick update to help users debug webbotauth, I really appreciate it! |
Rename getDirectory to getExampleDirectory Return the error when signature validation fails Simplify fetching signature agent branch
|
@sandormajor thanks for the fast turnaround on the review. i've updated the code accordingly. |
sandormajor
left a comment
sandormajor
left a comment
There was a problem hiding this comment.
Thanks @thibmeu looks great!
| // make "some" validatation of the Signature-Agent header before making a request | ||
| let parsed: string; | ||
| try { | ||
| parsed = JSON.parse(signatureAgent); |
There was a problem hiding this comment.
This line will try parsing "https://..." from the Signature-Agent header as JSON, and going to fail.
There was a problem hiding this comment.
Signature-Agent is a structured string (Section 3.3.3 of RFC8941), meaning the header will be Signature-Agent: "https://example.com"
So what's being passed to fetchDirectory method is "https://example.com" (literal, with the quotes)
This would result in the following execution
signatureAgent = `"https://example.com"`
parsed = JSON.parse(signatureAgent)
// parsed === "https://example.com"This would have to be updated following thibmeu/http-message-signatures-directory#71, but is OK for now
There was a problem hiding this comment.
Thanks Thibault, I totally missed the quotes around it :)
2 participants
It allows to get a shorthand to validate a signature, instead of parsing the HTML page that is targetted at browsers.
Available at https://http-message-signatures-example.research.cloudflare.com/
In addition, this commit adds support to read signature-agent (only https: scheme)
Note: that commit does not add the endpoint in the documentation yet
fyi @sandormajor