0.05
Low commit activity in last 3 years
There's a lot of open issues
No release in over a year
Sign and verify HTTP messages
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
 Dependencies

Development

~> 1.5
>= 0
~> 3.0
 Project Readme

HTTP Signatures

Ruby implementation of HTTP Signatures draft specification; cryptographically sign and verify HTTP requests and responses.

See also:

Usage

Add http_signatures to your Gemfile.

Configure a context with your algorithm, keys, headers to sign. In Rails, this is best placed in an initializer.

require "http_signatures"

$context = HttpSignatures::Context.new(
  keys: {"examplekey" => "secret-key-here"},
  algorithm: "hmac-sha256",
  headers: ["(request-target)", "Date", "Content-Length"],
)

If there's only one key in the keys hash, that will be used for signing. Otherwise, specify one via signing_key_id: "examplekey".

Messages

A message is an HTTP request or response. A subset of the interface of Ruby's Net::HTTPRequest and Net::HTTPResponse is expected; the ability to set/read headers via message["name"], and for requests, the presence of message#method and message#path for (request-target) support.

require "net/http"
require "time"

message = Net::HTTP::Get.new(
  "/path?query=123",
  "Date" => Time.now.rfc822,
  "Content-Length" => "0",
)

Signing a message

$context.signer.sign(message)

Now message contains the signature headers:

message["Signature"]
# keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

message["Authorization"]
# Signature keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

Verifying a signed message

$context.verifier.valid?(message)  # => true or false

Contributing

Pull Requests are welcome.