HTTP Signatures
Ruby implementation of HTTP Signatures draft specification; cryptographically sign and verify HTTP requests and responses.
See also:
Usage
Add http_signatures
to your Gemfile
.
Configure a context with your algorithm, keys, headers to sign. In Rails, this is best placed in an initializer.
require "http_signatures"
$context = HttpSignatures::Context.new(
keys: {"examplekey" => "secret-key-here"},
algorithm: "hmac-sha256",
headers: ["(request-target)", "Date", "Content-Length"],
)
If there's only one key in the keys
hash, that will be used for signing.
Otherwise, specify one via signing_key_id: "examplekey"
.
Messages
A message is an HTTP request or response. A subset of the interface of
Ruby's Net::HTTPRequest and Net::HTTPResponse is expected; the ability to
set/read headers via message["name"]
, and for requests, the presence
of message#method
and message#path
for (request-target)
support.
require "net/http"
require "time"
message = Net::HTTP::Get.new(
"/path?query=123",
"Date" => Time.now.rfc822,
"Content-Length" => "0",
)
Signing a message
$context.signer.sign(message)
Now message
contains the signature headers:
message["Signature"]
# keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."
message["Authorization"]
# Signature keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."
Verifying a signed message
$context.verifier.valid?(message) # => true or false
Contributing
Pull Requests are welcome.