Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Go client verification fails if svix-signature header is an array of strings #880

Closed
arabello opened this issue Mar 30, 2023 · 5 comments
Closed

Go client verification fails if svix-signature header is an array of strings #880

arabello opened this issue Mar 30, 2023 · 5 comments

Comments

@arabello
Copy link

Bug Report

Version

v0.82.1

Platform

Darwin MacBook-Pro-di-buildo.local 20.6.0 Darwin Kernel Version 20.6.0: Mon Aug 30 06:12:21 PDT 2021; root:xnu-7195.141.6~3/RELEASE_X86_64 x86_64

Description

While verifying webhooks inside an AWS lambda, the standard approach to get an http.Request from the lambda's event, creates the svix-signature http.Request.Header by splitting the original signature.

http.Request.Header["svix-signature"] results in an array of two strings

{"v1" "doqUF7tykdkLqUxzXTUyeoc4JIxGtOjt6kDsomething"}

instead of an array of a single string

{"v1,doqUF7tykdkLqUxzXTUyeoc4JIxGtOjt6kDsomething"}

This causes the Verify method to fail as it uses calling the http.Request.Header.Get returns only first value (in this case v1) instead of the two strings array.

I expected this library to support this case as using AWS lambdas is a pretty popular.

I temporary workaround it by overriding the request header

req.Header.Set("Svix-Signature", strings.Join(req.Header["Svix-Signature"], ","))

but I expected the library to internally handle it. For example, inside the verify method there could be a check like:

msgSignature := headers.Get("svix-signature")
if reflect.SliceOf(reflect.TypeOf("")) == reflect.TypeOf(headers["svix-signature"]) {
    msgSignature := strings.Join(headers["svix-signature"], ","))
}
@tasn
Copy link
Member

tasn commented Mar 31, 2023

This feels like a bug with the AWS lambda library, as these headers are not defined as comma-separated headers, so they shouldn't be split as such.

What's the behavior in non lambda Go web frameworks? Any idea?

@arabello
Copy link
Author

arabello commented Apr 2, 2023

This feels like a bug with the AWS lambda library, as these headers are not defined as comma-separated headers

Yeah, I dug up into it: the API Gateway V2 client is splitting every header considering them as comma separated. Different behavior compared to V1, though.

What's the behavior in non lambda Go web frameworks? Any idea?

I don't have clues on other frameworks

I objectively agree that this is more an issue on the AWS client side as they are treating a custom header as a comma separated one. Actually, they are treating all headers as comma separated.

Thanks anyway, closing this

@arabello arabello closed this as completed Apr 2, 2023
@tasn
Copy link
Member

tasn commented Apr 3, 2023

It's still a concern to be honest, it makes the lives of verifies more difficult if they have to workaround bad implementations. :|

@arabello
Copy link
Author

arabello commented Apr 3, 2023

Yeah, here the reference where I'm asking about it: awslabs/aws-lambda-go-api-proxy#171

@tasn
Copy link
Member

tasn commented Apr 3, 2023

Let's see what they say. Thanks for the link!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tasn @arabello