voltone

voltone

PlugSignature - Plug implementation of IETF HTTP signature draft specification

Plug for verifying request signatures according to the IETF HTTP signatures draft specification.

Supports the following algorithms:

  • “hs2019”, using ECDSA, RSASSA-PSS or HMAC
  • “rsa-sha256”, using RSASSA-PKCS1-v1_5
  • “ecdsa-sha256”
  • “hmac-sha256”
  • “rsa-sha1”, using RSASSA-PKCS1-v1_5

Hex: https://hex.pm/packages/plug_signature
Hexdocs: https://hexdocs.pm/plug_signature/
GitHub: https://github.com/voltone/plug_signature

Signing the request body requires use of the HTTP Digest header, which can be added through the following package:

Hex: https://hex.pm/packages/plug_body_digest
Hexdocs: https://hexdocs.pm/plug_body_digest/
GitHub: https://github.com/voltone/plug_body_digest

A very simple sample app using both plugs is available in the PlugSignature GitHub repo. This code also includes two client implementations (one in Elixir using Tesla, and one as a shell script using OpenSSL/cURL) for testing.

Most Liked

voltone

voltone

Leaving aside projects where the use of this standard is prescribed, e.g. due to integration or compliance requirements…

Compared to other authentication mechanisms that work at the HTTP layer, signatures offer a number of benefits:

  • Credentials are not transmitted on the wire, unlike Basic or Bearer auth; this is generally a good thing regardless of whether the channel is encrypted
  • It does not require a challenge/response roundtrip and keeping state on the server, unlike Digest auth
  • It verifies the integrity of selected parts of the HTTP request, preventing modification of those parts by intermediaries
  • Support for non-repudiation (except when using HMAC)
  • Private key never leaves the client, so it is less likely to leak compared to symmetrical credentials that need to be defined in client and server (again, does not apply to HMAC)

Compared to authentication at the TLS layer, e.g. a client certificate:

  • Does not impose requirements on TLS proxies (e.g. cloud load balancers)
  • Works with browser-based clients

Of course you could implement the whole thing in a higher layer, using HTTP only as a dumb pipe. I generally try to avoid pushing functionality up the stack, preferring to leverage the services of lower layers (in this case HTTP) and handling only my business logic in the application layer. This allows me to delegate things like authentication and authorisation (e.g. to Plugs or API gateways) without impacting my APIs.

As for headers being manipulated between client and server, this hasn’t been an issue for me: headers that are likely to be modified often do not require integrity protection. In earlier versions of the spec the Date header was included in the signature, to limit the signature validity, and this could be problematic (also for AJAX clients), but the latest drafts use the created/expires parameters of the signature header instead.

tangui

tangui

Hi Voltone,

Great work! I’m very curious about the use-case it solves, if it’s no secret. I remember having to choose between such a scheme and signed JWT (which transforms the JSON payload to a base64 payload, is heavier, etc.). We finally chose not using this HTTP signature mainly because of a host of proxies that would have inevitably modified some signed headers and lack of implementation.

Also, I see you support RSA with PSS padding. So far I thought it wasn’t supported by Erlang. That’s good news! Thanks for the code and comment that goes with it, I’ll you use it soon :slight_smile:

anthonator

anthonator

From the IETF draft:

When communicating over the Internet using the HTTP protocol, it can
be desirable for a server or client to authenticate the sender of a
particular message. It can also be desirable to ensure that the
message was not tampered with during transit. This document
describes a way for servers and clients to simultaneously add
authentication and message integrity to HTTP messages by using a
digital signature.

It looks like this is similar to how companies like Shopify and GitHub allow you to verify the content of a payload by signing the body of the HTTP request with a private/secret key. I’ve seen this used mostly with webhooks. Apologies if that’s incorrect.

Looks awesome though!

Where Next?

Popular in Announcing Top

tmbb
PhoenixWS - Websockets over Phoenix Channels Source code on Github here: GitHub - tmbb/phoenix_ws: Websockets implemented over Phoenix Ch...
New
mathieuprog
Hello :waving_hand: Allow me to introduce you to Tz, an alternative time zone database support to Tzdata. Why another library? First a...
New
ityonemo
Currently just starting out on a new mini-project - getting zig NIFs to run in elixir. https://github.com/ityonemo/zigler The idea here...
New
ostinelli
Let’s write a database! Well not really, but I think it’s a little sad that there doesn’t seem to be a simple in-memory distributed KV da...
New
restlessronin
The repo is at GitHub - cyberchitta/openai_ex: Community maintained Elixir library for OpenAI API · GitHub. Docs are at OpenaiEx User Gu...
152 10342 134
New
zorbash
I created Kitto a framework for dashboards inspired by Dashing. The distributed characteristics of Elixir and the low memory footprint...
New
nikokozak
Hello all, I’ve been working on Svonix - a library for quickly integrating Svelte components into Phoenix views. It’s a much-needed succ...
New
alisinabh
Hey everyone i’ve developed a library for Jalaali calendar for elixir which supports converting Gregorian dates to Jalaali and vice vers...
New
tmbb
I’ve decided to create this topic to discuss optimization possibilities for something like Phoenix LiveView. I’ve created this topic unde...
144 10462 141
New
wfgilman
I’ve cleaned up and open sourced three financial libraries I was using for my company. They are bindings for the APIs of these three comp...
New

Other popular topics Top

Harrisonl
We have an ECS cluster with 4 services, where each task joins a single cluster, via discovery ECS discovery service. Currently when I de...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
marius95
Hello everyone, I try to use an Javascript Event Handler in my root.html.leex file. Therefore I created a function in the app.js file: ...
New
skosch
To my knowledge, put_in, Map.update etc. all have the one limitation of not automatically creating intermediate keys when needed (for exa...
New
jerry
Good day to you all. I have been struggling to get a query involving like and ilike to work. Can anyone assist me on this, please? pro...
New
Emily
I have VueJS GUIs with the project generated using Webpack. I have Elixir modules that will need to be used by the VueJS GUIs. I forese...
New
AstonJ
We’ve put together this wiki for Phoenix LiveView - please feel free to add any info you feel is worth including. What is Phoenix LiveV...
New
JakeBecker
TL;DR: I’ve just released an implementation of Microsoft’s IDE-independent Language Server Protocol for Elixir. It adds language support ...
1144 54120 245
New
jaysoifer
Is there a way to rollback a specific migration and only that one (“skipping” all the other ones)? Would mix ecto.rollback -v 200809061...
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement