test(libs): use shared signatures

[zekth]

follow-up for #21

Using shared signatures

[tasn]

The problem with this is that the verification function also verifies the timestamp is right.

I think we should either (or both?):

1. Expose functions that allow verification while ignoring the timestamp (e.g. we have it in Go) just for the tests.
2. Make it possible to create a test Webhook instance with a fake current time (or some other way to mock the current time).

[zekth]

Currently the test only verifies the signature is properly done and asserts its format. We're not doing the verification of this signature. Indeed we can do it, however mocking time.Now can be tedious in some languages which my knowledge is a bit too shallow.

Every lib test the verification of the signature with their test suites.

Not sure which path we want to go for.

[tasn]

Oh right, if we just compare the signatures it should be deterministic. In my head I was also thinking about the asymmetric-signature variants because those don't have deterministic signatures, so this won't work there.

Yeah, I think mocking time.Now is probably too big of a pain, I more meant: Webhook::new_with_mocked_time(key, fake_timestamp. Though maybe it's better to just expose a verification that doesn't depend on the timestamp. I think this can probably be useful when building some utilities. E.g. we used it in https://github.com/svix/svix-cli I think.

[zekth]

Also that highlights the fact that libs should implement the same interface which is not the case currently. Eg:

standard-webhooks/libraries/go/webhook.go

Line 71 in 1e928f4

func (wh *Webhook) VerifyIgnoringTimestamp(payload []byte, headers http.Header) error {

standard-webhooks/libraries/rust/src/lib.rs

Line 62 in 1e928f4

pub fn verify(&self, payload: &[u8], headers: &HeaderMap) -> Result<(), WebhookError> {

[tasn]

Go also has a verify without ignoring (normal verify), but yeah Rust (and all the rest) are missing the verify with ignoring.

I updated #21 accordingly.

[zekth]

Restarting the conversation on this. Shouldn't this shared signature verify only the Sign function accross every lib? with inputs and expected outputs? We might also introduce algorithm in the future as we might want to support ecdsa for example.

wdyt?

[tasn]

I think that's fair. We can cross the asymmetric bridge once we get to it, but given that it's deterministic at the moment, this is probably a good idea. So yeah, let's just verify sign.

We just need to also make sure we have tests that fail verification when the timestamp is outside of the allowed tolerance, but this need not be static.