Allow for generating requests without created field

Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "http-signature-normalization"
 description = "An HTTP Signatures library that leaves the signing to you"
-version = "0.3.0"
+version = "0.4.0"
 authors = ["asonix <asonix@asonix.dog>"]
 license-file = "LICENSE"
 readme = "README.md"

http-signature-normalization-actix/Cargo.toml

@@ -29,8 +29,9 @@ actix-web = "3.0.0-alpha.1"
 actix-http = "2.0.0-alpha.2"
 base64 = { version = "0.11", optional = true }
 bytes = "0.5.4"
+chrono = "0.4.6"
 futures = "0.3"
-http-signature-normalization = { version = "0.3.0", path = ".." }
+http-signature-normalization = { version = "0.4.0", path = ".." }
 log = { version = "0.4", optional = true }
 sha2 = { version = "0.8", optional = true }
 sha3 = { version = "0.8", optional = true }

http-signature-normalization-actix/examples/client.rs

@@ -1,19 +1,17 @@
 use actix_web::client::Client;
 use http_signature_normalization_actix::prelude::*;
 use sha2::{Digest, Sha256};
+use std::time::SystemTime;
 
-#[actix_rt::main]
+async fn request(config: Config) -> Result<(), Box<dyn std::error::Error>> {
-async fn main() -> Result<(), Box<dyn std::error::Error>> {
-    std::env::set_var("RUST_LOG", "info");
-    pretty_env_logger::init();
-
-    let config = Config::default();
     let mut digest = Sha256::new();
 
     let mut response = Client::default()
         .post("http://127.0.0.1:8010/")
         .header("User-Agent", "Actix Web")
+        .set(actix_web::http::header::Date(SystemTime::now().into()))
         .signature_with_digest(&config, "my-key-id", &mut digest, "Hewwo-owo", |s| {
+            println!("Signing String\n{}", s);
             Ok(base64::encode(s)) as Result<_, MyError>
         })?
         .send()
@@ -32,6 +30,18 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
     Ok(())
 }
 
+#[actix_rt::main]
+async fn main() -> Result<(), Box<dyn std::error::Error>> {
+    std::env::set_var("RUST_LOG", "info");
+    pretty_env_logger::init();
+
+    let config = Config::default();
+
+    request(config.clone()).await?;
+    request(config.dont_use_created_field()).await?;
+    Ok(())
+}
+
 #[derive(Debug, thiserror::Error)]
 pub enum MyError {
     #[error("Failed to read header, {0}")]

http-signature-normalization-actix/examples/server.rs

@@ -32,6 +32,8 @@ impl SignatureVerify for MyVerify {
             Err(_) => return err(MyError::Decode),
         };
 
+        println!("Signing String\n{}", signing_string);
+
         ok(decoded == signing_string.as_bytes())
     }
 }

http-signature-normalization-actix/src/lib.rs

@@ -151,7 +151,7 @@ use actix_web::http::{
     uri::PathAndQuery,
     Method,
 };
-
+use chrono::Duration;
 use std::{collections::BTreeMap, fmt::Display, future::Future};
 
 mod sign;
@@ -166,7 +166,7 @@ pub mod middleware;
 pub mod prelude {
     pub use crate::{
         middleware::{SignatureVerified, VerifySignature},
-        verify::{Algorithm, Unverified},
+        verify::{Algorithm, DeprecatedAlgorithm, Unverified},
         Config, PrepareVerifyError, Sign, SignatureVerify,
     };
 
@@ -232,10 +232,13 @@ pub trait Sign {
 }
 
 #[derive(Clone, Debug, Default)]
-/// A thin wrapper around the underlying library's config type
+/// Configuration for signing and verifying signatures
+///
+/// By default, the config is set up to create and verify signatures that expire after 10
+/// seconds, and use the `(created)` and `(expires)` fields that were introduced in draft 11
 pub struct Config {
     /// The inner config type
-    pub config: http_signature_normalization::Config,
+    config: http_signature_normalization::Config,
 }
 
 #[derive(Debug, thiserror::Error)]
@@ -251,6 +254,27 @@ pub enum PrepareVerifyError {
 }
 
 impl Config {
+    /// Create a new Config with a default expiration of 10 seconds
+    pub fn new() -> Self {
+        Config::default()
+    }
+
+    /// Opt out of using the (created) and (expires) fields introduced in draft 11
+    ///
+    /// Use this for compatibility with mastodon
+    pub fn dont_use_created_field(self) -> Self {
+        Config {
+            config: self.config.dont_use_created_field(),
+        }
+    }
+
+    /// Set the expiration to a custom duration
+    pub fn set_expiration(self, expires_after: Duration) -> Self {
+        Config {
+            config: self.config.set_expiration(expires_after),
+        }
+    }
+
     /// Begin the process of singing a request
     pub fn begin_sign(
         &self,

http-signature-normalization-http/Cargo.toml

@@ -13,4 +13,4 @@ edition = "2018"
 
 [dependencies]
 http = "0.2"
-http-signature-normalization = { version = "0.3.0", path = ".." }
+http-signature-normalization = { version = "0.4.0", path = ".." }

http-signature-normalization-reqwest/Cargo.toml

@@ -16,7 +16,7 @@ bytes = "0.5.3"
 futures = "0.3.1"
 chrono = "0.4.10"
 http = "0.2.0"
-http-signature-normalization = { version = "0.3.0", path = ".." }
+http-signature-normalization = { version = "0.4.0", path = ".." }
 reqwest = "0.10.1"
 serde = { version = "1.0.104", features = ["derive"], optional = true }
 serde_json = { version = "1.0.44", optional = true }

src/create.rs

@@ -13,8 +13,8 @@ use crate::{
 pub struct Signed {
     signature: String,
     sig_headers: Vec<String>,
-    created: DateTime<Utc>,
+    created: Option<DateTime<Utc>>,
-    expires: DateTime<Utc>,
+    expires: Option<DateTime<Utc>>,
     key_id: String,
 }
 
@@ -26,8 +26,8 @@ pub struct Signed {
 pub struct Unsigned {
     pub(crate) signing_string: String,
     pub(crate) sig_headers: Vec<String>,
-    pub(crate) created: DateTime<Utc>,
+    pub(crate) created: Option<DateTime<Utc>>,
-    pub(crate) expires: DateTime<Utc>,
+    pub(crate) expires: Option<DateTime<Utc>>,
 }
 
 impl Signed {
@@ -46,14 +46,24 @@ impl Signed {
     }
 
     fn into_header(self) -> String {
-        let header_parts = [
+        let mapped = self.created.and_then(|c| self.expires.map(|e| (c, e)));
-            (KEY_ID_FIELD, self.key_id),
+        let header_parts = if let Some((created, expires)) = mapped {
-            (ALGORITHM_FIELD, ALGORITHM_VALUE.to_owned()),
+            vec![
-            (CREATED_FIELD, self.created.timestamp().to_string()),
+                (KEY_ID_FIELD, self.key_id),
-            (EXPIRES_FIELD, self.expires.timestamp().to_string()),
+                (ALGORITHM_FIELD, ALGORITHM_VALUE.to_owned()),
-            (HEADERS_FIELD, self.sig_headers.join(" ")),
+                (CREATED_FIELD, created.timestamp().to_string()),
-            (SIGNATURE_FIELD, self.signature),
+                (EXPIRES_FIELD, expires.timestamp().to_string()),
-        ];
+                (HEADERS_FIELD, self.sig_headers.join(" ")),
+                (SIGNATURE_FIELD, self.signature),
+            ]
+        } else {
+            vec![
+                (KEY_ID_FIELD, self.key_id),
+                (ALGORITHM_FIELD, ALGORITHM_VALUE.to_owned()),
+                (HEADERS_FIELD, self.sig_headers.join(" ")),
+                (SIGNATURE_FIELD, self.signature),
+            ]
+        };
 
         header_parts
             .iter()

src/lib.rs

@@ -5,7 +5,7 @@
 //!
 //! - [crates.io](https://crates.io/crates/http-signature-normalization)
 //! - [docs.rs](https://docs.rs/http-signature-normalization)
-//! - [Join the discussion on Matrix](https://matrix.to/#/!IRQaBCMWKbpBWKjQgx:asonix.dog?via=asonix.dog)
+//! - [Hit me up on Mastodon](https://asonix.dog/@asonix)
 //!
 //! Http Signature Normalization is a minimal-dependency crate for producing HTTP Signatures with user-provided signing and verification. The API is simple; there's a series of steps for creation and verification with types that ensure reasonable usage.
 //!
@@ -15,9 +15,7 @@
 //! use std::collections::BTreeMap;
 //!
 //! fn main() -> Result<(), Box<dyn std::error::Error>> {
-//!     let config = Config {
+//!     let config = Config::default().set_expiration(Duration::seconds(5));
-//!         expires_after: Duration::seconds(5),
-//!     };
 //!
 //!     let headers = BTreeMap::new();
 //!
@@ -70,11 +68,11 @@ const SIGNATURE_FIELD: &'static str = "signature";
 #[derive(Clone, Debug)]
 /// Configuration for signing and verifying signatures
 ///
-/// Currently, the only configuration provided is how long a signature should be considered valid
+/// By default, the config is set up to create and verify signatures that expire after 10
-/// before it expires.
+/// seconds, and use the `(created)` and `(expires)` fields that were introduced in draft 11
 pub struct Config {
-    /// How long a singature is valid
+    expires_after: Duration,
-    pub expires_after: Duration,
+    use_created_field: bool,
 }
 
 #[derive(Debug, thiserror::Error)]
@@ -92,6 +90,25 @@ pub enum PrepareVerifyError {
 }
 
 impl Config {
+    /// Create a new Config with a default expiration of 10 seconds
+    pub fn new() -> Self {
+        Config::default()
+    }
+
+    /// Opt out of using the (created) and (expires) fields introduced in draft 11
+    ///
+    /// Use this for compatibility with mastodon
+    pub fn dont_use_created_field(mut self) -> Self {
+        self.use_created_field = false;
+        self
+    }
+
+    /// Set the expiration to a custom duration
+    pub fn set_expiration(mut self, expires_after: Duration) -> Self {
+        self.expires_after = expires_after;
+        self
+    }
+
     /// Perform the neccessary operations to produce an [`Unsigned`] type, which can be used to
     /// sign the header
     pub fn begin_sign(
@@ -104,16 +121,23 @@ impl Config {
             .into_iter()
             .map(|(k, v)| (k.to_lowercase(), v))
             .collect();
-        let sig_headers = build_headers_list(&headers);
 
-        let created = Utc::now();
+        let sig_headers = self.build_headers_list(&headers);
-        let expires = created + self.expires_after;
+
+        let (created, expires) = if self.use_created_field {
+            let created = Utc::now();
+            let expires = created + self.expires_after;
+
+            (Some(created), Some(expires))
+        } else {
+            (None, None)
+        };
 
         let signing_string = build_signing_string(
             method,
             path_and_query,
-            Some(created),
+            created,
-            Some(expires),
+            expires,
             &sig_headers,
             &mut headers,
         );
@@ -149,20 +173,24 @@ impl Config {
 
         Ok(unvalidated.validate(self.expires_after)?)
     }
-}
 
-fn build_headers_list(btm: &BTreeMap<String, String>) -> Vec<String> {
+    fn build_headers_list(&self, btm: &BTreeMap<String, String>) -> Vec<String> {
-    let http_header_keys: Vec<String> = btm.keys().cloned().collect();
+        let http_header_keys: Vec<String> = btm.keys().cloned().collect();
 
-    let mut sig_headers = vec![
+        let mut sig_headers = if self.use_created_field {
-        REQUEST_TARGET.to_owned(),
+            vec![
-        CREATED.to_owned(),
+                REQUEST_TARGET.to_owned(),
-        EXPIRES.to_owned(),
+                CREATED.to_owned(),
-    ];
+                EXPIRES.to_owned(),
+            ]
+        } else {
+            vec![REQUEST_TARGET.to_owned()]
+        };
 
-    sig_headers.extend(http_header_keys);
+        sig_headers.extend(http_header_keys);
 
-    sig_headers
+        sig_headers
+    }
 }
 
 fn build_signing_string(
@@ -196,6 +224,7 @@ impl Default for Config {
     fn default() -> Self {
         Config {
             expires_after: Duration::seconds(10),
+            use_created_field: true,
         }
     }
 }

src/verify.rs

@@ -36,6 +36,7 @@ pub struct Unvalidated {
     pub(crate) created: Option<DateTime<Utc>>,
     pub(crate) expires: Option<DateTime<Utc>>,
     pub(crate) parsed_at: DateTime<Utc>,
+    pub(crate) date: Option<String>,
     pub(crate) signing_string: String,
 }
 
@@ -181,6 +182,15 @@ impl Unvalidated {
             }
         }
 
+        if let Some(date) = self.date {
+            if let Ok(datetime) = DateTime::parse_from_rfc2822(&date) {
+                let datetime: DateTime<Utc> = datetime.into();
+                if datetime + expires_after < self.parsed_at {
+                    return Err(ValidateError::Expired);
+                }
+            }
+        }
+
         Ok(Unverified {
             key_id: self.key_id,
             algorithm: self.algorithm,
@@ -198,6 +208,8 @@ impl ParsedHeader {
         path_and_query: &str,
         headers: &mut BTreeMap<String, String>,
     ) -> Unvalidated {
+        let date = headers.get("date").cloned();
+
         let signing_string = build_signing_string(
             method,
             path_and_query,
@@ -214,6 +226,7 @@ impl ParsedHeader {
             algorithm: self.algorithm,
             created: self.created,
             expires: self.expires,
+            date,
             signing_string,
         }
     }