Take port into account for the signature #55
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This PR instructs the servant-hmac-auth client code to take the remote HTTP port into account in the generated HMAC signatures for the following cases:
Technical details
The HMAC signature takes into account both the
Host
http header and the requested URL (from host to query string and everything in between, including any non-standard port).Before that PR, the client code actually only took the host into account, both for the always-overwritten
Host
header and for the URL used for the signature. This would work if the client application targets a remote endpoint on a standard port (80 for http, 443 for https) as the port is optional in that case. However, this fails on non-standard port as it would then be required to be explicit for both the HTTP header and the URL. By ignoring the port, the library would generate a signature that wouldn't be recognized as valid by the remote server if the latter takes the port into account.This PR forces the library to take the port into account when the targeted port is not standard. However, should the client application use an explicit
Host
header, this one will be used instead.The server code is not impacted as it always uses the
Host
HTTP header.Consequences
Servers are not impacted by the PR.
Clients only sending requests to servers on a standard port (80 for http and 443 for https) are not affected.
Clients that were sending requests to servers which were modified not to take the port into account needs to be updated to do so.