activitypub-express icon indicating copy to clipboard operation
activitypub-express copied to clipboard
verified publisher icon immers-space

request-compose as a replacement for deprecated request lib

Open gregid opened this issue 5 years ago • 1 comments

This PR implements request-compose based replacement for old/deprecated request + request-promise-native libraries as discussed in #12

This change also starts work toward replacing patched version of http-signature with maintained alternative.

But here it gets complicated as all of available libraries have some problems, here is a list of some pros/cons

  • http-signature (joyent)
    • (+) has sign/verifySignature implemented, parseRequest with no spec
    • (-) doesn't work with 'Signature' header
    • (-) operates on request object only
    • (-) incorrect path parsing: path -> undefined
    • (-) inactive
  • http-signature (patched)
    • (+) has sign/verifySignature implemented, parseRequest with no spec
    • (-) operates on request object only
    • (-) edge case incorrect path parsing: path -> undefined
    • (-) is patched
  • http-signature-header (digitalbazaar)
    • (+) operates on headers directly
    • (+) more active/recent than joyent
    • (-/+) (-) custom methods need to be implemented; (+) flexibility
    • (-/+) parseRequest requires specification for parsing
    • (-) doesn't work correctly with 'Signature' header (inherits problem from joyent)
    • (?) possibly the same path parsing problem may apply here.

I think the best way forward (long term) is to fix http-signature-header and implement missing methods. In the interim use http-signature-header for signing and http-signature (patched, fixed) for parsing and verifying

In both interim and long term as of now we can remove old request + request-promise-native as dependencies.

Tasks:

  • [x] request replacement implemented
  • [ ] (http-signature patched) fix edge case path parsing
  • [ ] (http-signature-header) fix parseRequest for headers: Signature: 'keyId=.....

gregid avatar Apr 19 '21 17:04 gregid

The three failures from Travis:

**************************************************
*                    Failures                    *
**************************************************
1) request parsed by http-signature lib using Authorization Header
  - Expected 400 to be 200.
2) request parsed by http-signature lib using Signature Header
  - Expected 400 to be 200.
3) request parsed by http-signature-header lib using Signature Header
  - Uncaught exception: SyntaxError: bad param format

Are to showcase problems with http-signature... libraries. 1 and 2 fail due to incorrect path parsing (path -> undefined. 3 fails when header is Signature: 'keyId=..... and not Authorization: 'Signature keyId=.....

gregid avatar Apr 19 '21 18:04 gregid