-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test(libs): use shared signatures #23
base: main
Are you sure you want to change the base?
Conversation
[ | ||
{ | ||
"id": "msg_p5jXN8AQM9LWM0D4loKWxJek", | ||
"timestamp": 1696200454, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The problem with this is that the verification function also verifies the timestamp is right.
I think we should either (or both?):
- Expose functions that allow verification while ignoring the timestamp (e.g. we have it in Go) just for the tests.
- Make it possible to create a test
Webhook
instance with a fake current time (or some other way to mock the current time).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently the test only verifies the signature is properly done and asserts its format. We're not doing the verification of this signature. Indeed we can do it, however mocking time.Now
can be tedious in some languages which my knowledge is a bit too shallow.
Every lib test the verification of the signature with their test suites.
Not sure which path we want to go for.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh right, if we just compare the signatures it should be deterministic. In my head I was also thinking about the asymmetric-signature variants because those don't have deterministic signatures, so this won't work there.
Yeah, I think mocking time.Now
is probably too big of a pain, I more meant: Webhook::new_with_mocked_time(key, fake_timestamp
. Though maybe it's better to just expose a verification that doesn't depend on the timestamp. I think this can probably be useful when building some utilities. E.g. we used it in https://github.com/svix/svix-cli I think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also that highlights the fact that libs should implement the same interface which is not the case currently. Eg:
standard-webhooks/libraries/go/webhook.go
Line 71 in 1e928f4
func (wh *Webhook) VerifyIgnoringTimestamp(payload []byte, headers http.Header) error { |
pub fn verify(&self, payload: &[u8], headers: &HeaderMap) -> Result<(), WebhookError> { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Go also has a verify without ignoring (normal verify), but yeah Rust (and all the rest) are missing the verify with ignoring.
I updated #21 accordingly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Restarting the conversation on this. Shouldn't this shared signature verify only the Sign
function accross every lib? with inputs and expected outputs? We might also introduce algorithm
in the future as we might want to support ecdsa
for example.
wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that's fair. We can cross the asymmetric bridge once we get to it, but given that it's deterministic at the moment, this is probably a good idea. So yeah, let's just verify sign.
We just need to also make sure we have tests that fail verification when the timestamp is outside of the allowed tolerance, but this need not be static.
follow-up for #21
Using shared signatures