Add server signed response #163

fwininger · 2018-01-15T10:56:38Z

@kjg @adamlwgriffiths I try to do a PR for #112, can you take a look ?

If the approch seems to be good I implement the unit tests.

fwininger · 2018-01-26T21:12:03Z

Hi @kjg @mgomes can you take a quick look of this ?

fwininger · 2018-02-11T14:30:51Z

Hi @kjg @mgomes have you some time to take a quick look of this ? I need this feature in production before the end of the month and I prefers to not manage a hard fork of this gem.

kjg

Comments on individual lines, can you please add some tests as well.

Thanks so much for taking this on!

kjg · 2018-02-16T15:16:40Z

lib/api_auth/railtie.rb

+              if api_auth_options
+                response.headers['CONTENT-MD5'] ||= Digest::MD5.base64digest(json)
+                response.headers['Authorization'] ||= ApiAuth.sign!(
+                  request,


We'd want to pass in the response object here right?

I know that is strange, but we need to pass the request object because we need to access to the request.fullpath.
Secondly, we can use the already defined ActionDispatchRequest without any changed.

kjg · 2018-02-16T15:17:08Z

README.md

@@ -226,6 +226,30 @@ Rails app:
    end
 ```

+### Server signing response
+
+The server can perform a validation of the response.


I think you're trying to say the server can sign the content of the response, right?

kjg · 2018-02-16T15:22:27Z

lib/api_auth/railtie.rb

@@ -13,7 +13,40 @@ def api_authenticated?(secret_key)
        end
      end

+      module ClassMethods
+        def validation_with_api_auth(api_auth_options = nil)


Can we call this something like api_auth_sign_response

kjg · 2018-02-16T15:25:21Z

lib/api_auth/railtie.rb

+
+              # API AUTH addition headers
+              if api_auth_options
+                response.headers['CONTENT-MD5'] ||= Digest::MD5.base64digest(json)


Is this needed because the response object won't have a body for ApiAuth to inspect yet?

In fact, the body is the json variable. I keep the same code as the classic JSON renderer. It's just a .to_json of the variable passed in the controller.

The source code is here : https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/metal/renderers.rb#L156

I add a comment in the code for memory.

Signed-off-by: Florian Wininger <fw.centrale@gmail.com>

kjg reviewed Feb 16, 2018

View reviewed changes

fwininger force-pushed the signed_response branch from 8406260 to 047d805 Compare February 13, 2019 17:15

Add server signed response

a963725

Signed-off-by: Florian Wininger <fw.centrale@gmail.com>

fwininger force-pushed the signed_response branch from 047d805 to a963725 Compare August 27, 2019 13:36

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add server signed response #163

Add server signed response #163

fwininger commented Jan 15, 2018

fwininger commented Jan 26, 2018

fwininger commented Feb 11, 2018

kjg left a comment

kjg Feb 16, 2018

fwininger Feb 26, 2018

kjg Feb 16, 2018

fwininger Feb 26, 2018

kjg Feb 16, 2018

fwininger Feb 26, 2018

kjg Feb 16, 2018

fwininger Feb 26, 2018

Add server signed response #163

Are you sure you want to change the base?

Add server signed response #163

Conversation

fwininger commented Jan 15, 2018

fwininger commented Jan 26, 2018

fwininger commented Feb 11, 2018

kjg left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment