feat: Encode method and URL in HTTP message signatures

Author: joachimvh

packages/css/src/util/fetch/SignedFetcher.ts

@@ -57,7 +57,11 @@ export class SignedFetcher implements Fetcher {
     new Headers(init?.headers).forEach((value, key) => request.headers[key] = value);
     request.headers['Authorization'] = `HttpSig cred="${this.baseUrl}"`;
 
-    const signed = await httpbis.signMessage({ key, paramValues: { keyid: 'TODO' } }, request);
+    const signed = await httpbis.signMessage({
+      key,
+      fields: [ '@target-uri', '@method' ],
+      paramValues: { keyid: 'TODO' }
+    }, request);
 
     return await this.fetcher.fetch(url, signed);
   }

packages/css/test/unit/util/fetch/SignedFetcher.test.ts

@@ -29,7 +29,7 @@ describe('SignedFetcher', (): void => {
       alg: 'ES256',
       getPrivateKey: vi.fn().mockResolvedValue(jwk),
       getPublicKey: vi.fn(),
-    }
+    };
 
     source = {
       fetch: vi.fn().mockResolvedValue('result'),
@@ -42,7 +42,11 @@ describe('SignedFetcher', (): void => {
     await expect(fetcher.fetch('http://example.com', { method: 'DELETE', headers: { accept: 'text/turtle' } })).resolves.toBe('result');
     expect(signMessage).toHaveBeenCalledTimes(1);
     expect(signMessage).toHaveBeenLastCalledWith(
-      { key: expect.objectContaining({ alg: 'ES256', id: 'kid' }), paramValues: { keyid: 'TODO' }},
+      {
+        key: expect.objectContaining({ alg: 'ES256', id: 'kid' }),
+        fields: [ '@target-uri', '@method' ],
+        paramValues: { keyid: 'TODO' }
+      },
       {
         url: 'http://example.com',
         method: 'DELETE',

packages/uma/src/util/HttpMessageSignatures.ts

@@ -1,5 +1,5 @@
-import { UnauthorizedHttpError, type AlgJwk, BadRequestHttpError, InternalServerError } from '@solid/community-server';
-import { httpbis, type SigningKey, type Request as SignRequest } from 'http-message-signatures';
+import { UnauthorizedHttpError, type AlgJwk, BadRequestHttpError } from '@solid/community-server';
+import { httpbis, type SigningKey, type Request as SignRequest, defaultParams } from 'http-message-signatures';
 import { verifyMessage } from 'http-message-signatures/lib/httpbis';
 import { type SignatureParameters, type VerifierFinder, type VerifyingKey } from 'http-message-signatures/lib/types';
 import { HttpHandlerRequest } from './http/models/HttpHandler';
@@ -17,12 +17,13 @@ export async function signRequest(
     id: jwk.kid,
     alg: jwk.alg,
     async sign(data: BufferSource) {
-      const key = await crypto.subtle.importKey('jwk', jwk, jwk.alg, false, ['sign', 'verify']);
-      return Buffer.from(await crypto.subtle.sign(jwk.alg, key, data));
+      const params = algMap[jwk.alg];
+      const key = await crypto.subtle.importKey('jwk', jwk, params, false, ['sign']);
+      return Buffer.from(await crypto.subtle.sign(params, key, data));
     },
   };
 
-  return await httpbis.signMessage<RequestInit & SignRequest>({ key }, { ...request, url });
+  return await httpbis.signMessage({ key, fields: [ '@target-uri', '@method' ] }, { ...request, url });
 }
 
 export async function extractRequestSigner(request: HttpHandlerRequest): Promise<string> {
@@ -40,11 +41,7 @@ export async function extractRequestSigner(request: HttpHandlerRequest): Promise
     throw new UnauthorizedHttpError();
   }
 
-  const signer = params.cred;
-
-  if (!signer) throw new UnauthorizedHttpError('No valid HTTPSig authorization header found.');
-
-  return signer;
+  return params.cred;
 }
 
 export async function verifyRequest(
@@ -66,11 +63,9 @@ export async function verifyRequest(
         domain: signer!,
         alg: alg ?? '',
         kid: keyid ?? '',
-      })
+      });
 
       if (!alg) throw new BadRequestHttpError('Invalid HTTP message Signature parameters.');
-      // if (alg === 'EdDSA') throw new InternalServerError('EdDSA signing is not supported');
-      // if (alg === 'ES256K') throw new InternalServerError('ES256K signing is not supported');
 
       const verifier: VerifyingKey = {
         id: keyid,