Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated to check against SHA-256 signature of request body (fixes #47) #57

Merged
merged 2 commits into from
Jan 13, 2024
Merged

Updated to check against SHA-256 signature of request body (fixes #47) #57

merged 2 commits into from
Jan 13, 2024

Conversation

tejashah88
Copy link
Member

This should address #47. I'm thinking this should warrant a major version as it behaves differently enough. @mreinstein any thoughts on this and this PR?

Here's a full list of the changes:

Features:

  • Bumped the alexa-verifier dependency to 4.0.0
  • Updated the request headers being read to check the hashed signature

Testing:

  • Fixed the "fail invalid signature" test, as it was checking for an invalid certificate parameter instead
  • Ditched hardcoded signatures in favor of dynamically generated signatures (similar to what alexa-verifier does)
  • Cleaned up, made the tests a bit more uniform (consistent checks and naming) and added some comments

@tejashah88 tejashah88 requested a review from mreinstein January 10, 2024 12:34
@tejashah88 tejashah88 self-assigned this Jan 10, 2024
@tejashah88 tejashah88 linked an issue Jan 10, 2024 that may be closed by this pull request
Update Request Header to Signature-256 #47
Closed
@tejashah88 tejashah88 force-pushed the 47-update-request-header-to-signature-256 branch 3 times, most recently from 6cd5253 to 7cc4398 Compare January 10, 2024 16:21
mreinstein
mreinstein reviewed Jan 10, 2024
View reviewed changes
Copy link
Collaborator

@mreinstein mreinstein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work!

.gitignore Outdated Show resolved Hide resolved
CHANGELOG.md Outdated
@@ -1,3 +1,7 @@
## 3.0.0
* BREAKING: Updated to check against SHA-256 signature of request body (#47)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding is that both the sha-256 and the sha1 headers are still present in the Amazon response headers, and updating to this module doesn't involve any breaking changes, but maybe I'm missing something?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are correct, they still do have both headers. I figured if Amazon wants to use SHA-256 over SHA-1, they'll drop the latter at some point, and that would be a big behaviour change by itself (hence the major version bump).

However I'm not strongly rooted in this idea and open to other ideas too.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think semver is only referring to the impact of the module on a person's local codebase. In the case of someone importing alexa-verifier-middleware, I don't see any changes that would be breaking on the code side.

Copy link
Collaborator

@mreinstein mreinstein Jan 10, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason why I'm bringing this up is the downside to bumping the major version is it results in fewer people updated. Bumping the minor number instead will result in more people adopting it quickly, which is nice for an API change that might someday break if/when Amazon removes the non-256 version of the signature header.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You bring up a good point about version adoption. I'll make the changes later today.

package.json Outdated Show resolved Hide resolved
@tejashah88 tejashah88 force-pushed the 47-update-request-header-to-signature-256 branch from 7cc4398 to d843d13 Compare January 10, 2024 17:46
@tejashah88 tejashah88 force-pushed the 47-update-request-header-to-signature-256 branch from d843d13 to bd7e556 Compare January 13, 2024 01:47
mreinstein
mreinstein approved these changes Jan 13, 2024
View reviewed changes
Copy link
Collaborator

@mreinstein mreinstein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice work!

@mreinstein mreinstein merged commit 978dee2 into master Jan 13, 2024
5 checks passed
@tejashah88
Copy link
Member Author

Thanks! I'll do the release on NPM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mreinstein mreinstein mreinstein approved these changes

Assignees

@tejashah88 tejashah88

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update Request Header to Signature-256
2 participants
@tejashah88 @mreinstein