Clarification and potential issue with `:verify_checksum` response step

[rhcarvalho]

Hi @wojtekmach!

Firstly, I wanted to express my gratitude for Req, which has been immensely useful.

I'm reaching out to better understand the intended use cases for the :checksum step introduced in #254. It seems that the :verify_checksum step is executed prior to :decompress_body. This arrangement caught my attention because the checksum verification appears dependent on the compression implementation of the remote server. If the compression level changes or if compression is disabled, it seems that the :verify_checksum step might fail, even though many different compressed payloads can yield the same decompressed output.

This observation led me to think about a similar feature in web browsers known as Subresource Integrity (SRI). If I'm not mistaken, in the case of SRI, the integrity check of a resource is performed after decompression but before the file is used (like in JavaScript or CSS).

Based on this, I'm wondering if the current implementation of :verify_checksum in Req might benefit from a similar approach. Would performing the checksum verification after decompression align better with the typical expectations for integrity checks? This might also enhance compatibility with varying server-side compression implementations.

I might be misunderstanding some aspects of the implementation, so any clarification or insights would be greatly appreciated. If this observation holds merit, I'd be more than willing to contribute to a discussion or solution.

Thanks for your time and all the work you put into Req!

Cheers!