0.04
No commit activity in last 3 years
No release in over 3 years
There's a lot of open issues
Sign and verify HTTP messages
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Dependencies

Development

~> 1.5
>= 0
~> 3.0
 Project Readme

HTTP Signatures

Ruby implementation of HTTP Signatures draft specification; cryptographically sign and verify HTTP requests and responses.

See also:

Usage

Add http_signatures to your Gemfile.

Configure a context with your algorithm, keys, headers to sign. In Rails, this is best placed in an initializer.

require "http_signatures"

$context = HttpSignatures::Context.new(
  keys: {"examplekey" => "secret-key-here"},
  algorithm: "hmac-sha256",
  headers: ["(request-target)", "Date", "Content-Length"],
)

If there's only one key in the keys hash, that will be used for signing. Otherwise, specify one via signing_key_id: "examplekey".

Messages

A message is an HTTP request or response. A subset of the interface of Ruby's Net::HTTPRequest and Net::HTTPResponse is expected; the ability to set/read headers via message["name"], and for requests, the presence of message#method and message#path for (request-target) support.

require "net/http"
require "time"

message = Net::HTTP::Get.new(
  "/path?query=123",
  "Date" => Time.now.rfc822,
  "Content-Length" => "0",
)

Signing a message

$context.signer.sign(message)

Now message contains the signature headers:

message["Signature"]
# keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

message["Authorization"]
# Signature keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

Verifying a signed message

$context.verifier.valid?(message)  # => true or false

Contributing

Pull Requests are welcome.