rafiki icon indicating copy to clipboard operation
rafiki copied to clipboard
verified publisher icon interledger

feat(backend): validate httpsig on rs requests using auth implementation

Open dclipp opened this issue 3 years ago • 3 comments

  • Export verifySig from auth package
  • use auth's verifySig implementation to validate the signature received after and introspection request

Changes proposed in this pull request

  • fixes #585

Context

Checklist

  • [X] Related issues linked using fixes #number
  • [X] Tests added/updated
  • [ ] Documentation added
  • [ ] Make sure that all checks pass

dclipp avatar Oct 13 '22 23:10 dclipp

I'm understanding this would effectively turn on httpsig verification for every Open Payments API call. This will cause the example postman collection requests to break. I think we will need to update the seed scripts to create clients & keys and update postman collection to properly sign the requests. In the interim, we could allow for a env flag to toggle httpsig verification, so we can handle the proper seeding & local environment set up later.

mkurapov avatar Oct 19 '22 17:10 mkurapov

@mkurapov Since we are still using the magic tokens in postman, it should still work because whenever they are passed, there is no introspection and no signature validation. However, we do have issues for all of your points

  • https://github.com/interledger/rafiki/issues/664
  • https://github.com/interledger/rafiki/issues/665
  • https://github.com/interledger/rafiki/issues/606

sabineschaller avatar Oct 19 '22 20:10 sabineschaller

Thanks for the explanation @sabineschaller , I was using the access tokens from the auth seeds, using authorization: GNAP dev-access-token for the Postman requests like in the config ended up working for me. I've been taking a look at the linked issues and they make sense, will add some comments if I see anything come up.

mkurapov avatar Oct 20 '22 15:10 mkurapov