Components check now done on params.components rather than on filled variable, Refactored signatureHeaders and signatureHeadersSync common code into getSigningOptions, ran 'npm run lint'

defi-scripter470po · defi-scripter470po · commit 5ed8ed137d8c · 2025-09-25T09:23:51.000+02:00
diff --git a/.github/workflows/pullrequest.yml b/.github/workflows/pullrequest.yml
@@ -61,11 +61,11 @@ jobs:
     name: Deploy Rust Crates
     timeout-minutes: 5
     env:
-        # This token can be regenerated by visiting https://crates.io/me,
-        # generating a new API token with `publish-update` permissions,
-        # scoping it to just `web-bot-auth` and `http-signature-directory`
-        # crates, and uploading to Github.
-        CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_API_TOKEN }}
+      # This token can be regenerated by visiting https://crates.io/me,
+      # generating a new API token with `publish-update` permissions,
+      # scoping it to just `web-bot-auth` and `http-signature-directory`
+      # crates, and uploading to Github.
+      CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_API_TOKEN }}
     strategy:
       matrix:
         os: [ubuntu-24.04]
@@ -87,7 +87,7 @@ jobs:
           key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
       - name: Set rust toolchain
         run: rustup override set 1.87
-      - run: cargo publish -p web-bot-auth  # will fail if we don't bump the version
+      - run: cargo publish -p web-bot-auth # will fail if we don't bump the version
         continue-on-error: true
       - run: cargo publish -p http-signature-directory # will fail if we don't bump the version
-        continue-on-error: true
+        continue-on-error: true
diff --git a/README.md b/README.md
@@ -43,13 +43,13 @@ This deployment allows to test your implementation.
 
 This repository uses [npm](https://docs.npmjs.com/cli/v11/using-npm/workspaces) and [cargo](https://doc.rust-lang.org/book/ch14-03-cargo-workspaces.html) workspaces. There are several packages which it provides:
 
-| Package                                                    | Language   | Description                                                                            |
-| :--------------------------------------------------------- | :--------- | :------------------------------------------------------------------------------------- |
-| [http-message-sig](./packages/http-message-sig/)           | TypeScript | HTTP Message Signatures as defined in RFC 9421                                         |
-| [jsonwebkey-thumbprint](./packages/jsonwebkey-thumbprint/) | TypeScript | JWK Thumbprint as defined in RFC 7638                                                  |
-| [web-bot-auth](./packages/web-bot-auth/)                   | TypeScript | HTTP Message Signatures for Bots as defined in draft-meunier-web-bot-auth-architecture |
-| [web-bot-auth](./crates/web-bot-auth/)                     | Rust       | HTTP Message Signatures for Bots as defined in draft-meunier-web-bot-auth-architecture |
-| [http-signature-directory](./crates/http-signature-directory/)| Rust    | Validates whether an HTTP message signature directory is correctly signed and valid |
+| Package                                                        | Language   | Description                                                                            |
+| :------------------------------------------------------------- | :--------- | :------------------------------------------------------------------------------------- |
+| [http-message-sig](./packages/http-message-sig/)               | TypeScript | HTTP Message Signatures as defined in RFC 9421                                         |
+| [jsonwebkey-thumbprint](./packages/jsonwebkey-thumbprint/)     | TypeScript | JWK Thumbprint as defined in RFC 7638                                                  |
+| [web-bot-auth](./packages/web-bot-auth/)                       | TypeScript | HTTP Message Signatures for Bots as defined in draft-meunier-web-bot-auth-architecture |
+| [web-bot-auth](./crates/web-bot-auth/)                         | Rust       | HTTP Message Signatures for Bots as defined in draft-meunier-web-bot-auth-architecture |
+| [http-signature-directory](./crates/http-signature-directory/) | Rust       | Validates whether an HTTP message signature directory is correctly signed and valid    |
 
 ## Security Considerations
 
diff --git a/crates/http-signature-directory/README.md b/crates/http-signature-directory/README.md
@@ -18,7 +18,6 @@ This is an opinionated validator:
 - [Security Considerations](#security-considerations)
 - [License](#license)
 
-
 ## Usage
 
 ```
diff --git a/packages/web-bot-auth/src/index.ts b/packages/web-bot-auth/src/index.ts
@@ -6,6 +6,7 @@ export {
   type SignatureHeaders,
   type Signer,
   type SignerSync,
+  type SignOptions,
   Tag,
   directoryResponseHeaders,
 } from "http-message-sig";
@@ -55,13 +56,13 @@ export function validateNonce(nonce: string): boolean {
   }
 }
 
-export function signatureHeaders<
+function getSigningOptions<
   T extends httpsig.RequestLike | httpsig.ResponseLike,
 >(
   message: T,
   signer: httpsig.Signer,
   params: SignatureParams
-): Promise<httpsig.SignatureHeaders> {
+): httpsig.SignOptions {
   if (params.created.getTime() > params.expires.getTime()) {
     throw new Error("created should happen before expires");
   }
@@ -75,21 +76,24 @@ export function signatureHeaders<
     }
   }
   const signatureAgent = httpsig.extractHeader(message, SIGNATURE_AGENT_HEADER);
-  let components: string[] | undefined = params.components;
-  if(!components) {
-    // not the ideal check, but extractHeader returns "" instead of throwing or null when the header does not exist
+  let components: string[];
+  if (!params.components) {
+    // `extractHeader` returns "" instead of throwing or null when the header does not exist
     if (!signatureAgent) {
       components = REQUEST_COMPONENTS_WITHOUT_SIGNATURE_AGENT;
     } else {
-      components = REQUEST_COMPONENTS
+      components = REQUEST_COMPONENTS;
     }
   } else {
-    if(signatureAgent && components.indexOf("SIGNATURE_AGENT_HEADER") === -1)
-    {
-      throw new Error(`${SIGNATURE_AGENT_HEADER} is required in params.component when included as a header param`);
+    if (signatureAgent && components.indexOf("SIGNATURE_AGENT_HEADER") === -1) {
+      throw new Error(
+        `${SIGNATURE_AGENT_HEADER} is required in params.component when included as a header param`
+      );
     }
+    components = params.components;
   }
-  return httpsig.signatureHeaders(message, {
+
+  return {
     signer,
     components,
     created: params.created,
@@ -98,7 +102,20 @@ export function signatureHeaders<
     keyid: signer.keyid,
     key: params.key,
     tag: HTTP_MESSAGE_SIGNAGURE_TAG,
-  });
+  };
+}
+
+export function signatureHeaders<
+  T extends httpsig.RequestLike | httpsig.ResponseLike,
+>(
+  message: T,
+  signer: httpsig.Signer,
+  params: SignatureParams
+): Promise<httpsig.SignatureHeaders> {
+  return httpsig.signatureHeaders(
+    message,
+    getSigningOptions(message, signer, params)
+  );
 }
 
 export function signatureHeadersSync<
@@ -108,41 +125,10 @@ export function signatureHeadersSync<
   signer: httpsig.SignerSync,
   params: SignatureParams
 ): httpsig.SignatureHeaders {
-  if (params.created.getTime() > params.expires.getTime()) {
-    throw new Error("created should happen before expires");
-  }
-  let nonce = params.nonce;
-  if (!nonce) {
-    nonce = generateNonce();
-  } else {
-    if (!validateNonce(nonce)) {
-      throw new Error("nonce is not a valid uint32");
-    }
-  }
-  const signatureAgent = httpsig.extractHeader(message, SIGNATURE_AGENT_HEADER);
-  let components: string[] | undefined = params.components;
-  if(!components) {
-    // not the ideal check, but extractHeader returns "" instead of throwing or null when the header does not exist
-    if (!signatureAgent) {
-      components = REQUEST_COMPONENTS_WITHOUT_SIGNATURE_AGENT;
-    } else {
-      components = REQUEST_COMPONENTS
-    }
-  } else {
-    if(signatureAgent && components.indexOf("SIGNATURE_AGENT_HEADER") === -1)
-    {
-      throw new Error(`${SIGNATURE_AGENT_HEADER} is required in params.component when included as a header param`);
-    }
-  }
-  return httpsig.signatureHeadersSync(message, {
-    signer,
-    components,
-    created: params.created,
-    expires: params.expires,
-    nonce,
-    keyid: signer.keyid,
-    tag: HTTP_MESSAGE_SIGNAGURE_TAG,
-  });
+  return httpsig.signatureHeadersSync(
+    message,
+    getSigningOptions(message, signer, params)
+  );
 }
 
 export type Verify<T> = (
diff --git a/packages/web-bot-auth/test/test_data/web_bot_auth_architecture_v1.json b/packages/web-bot-auth/test/test_data/web_bot_auth_architecture_v1.json
@@ -77,4 +77,4 @@
     "signature_input": "sig2=(\"@authority\" \"signature-agent\");created=1735689600;keyid=\"poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0U\";alg=\"ed25519\";expires=1735693200;nonce=\"e8N7S2MFd/qrd6T2R3tdfAuuANngKI7LFtKYI/vowzk4lAZYadIX6wW25MwG7DCT9RUKAJ0qVkU0mEeLElW1qg==\";tag=\"web-bot-auth\"",
     "signature_agent": "\"https://signature-agent.test\""
   }
-]
+]

Original file line number	Diff line number	Diff line change
`@@ -77,4 +77,4 @@`
`77`	`77`	`"signature_input": "sig2=(\"@authority\" \"signature-agent\");created=1735689600;keyid=\"poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0U\";alg=\"ed25519\";expires=1735693200;nonce=\"e8N7S2MFd/qrd6T2R3tdfAuuANngKI7LFtKYI/vowzk4lAZYadIX6wW25MwG7DCT9RUKAJ0qVkU0mEeLElW1qg==\";tag=\"web-bot-auth\"",`
`78`	`78`	`"signature_agent": "\"https://signature-agent.test\""`
`79`	`79`	`}`
`80`		`-]`
	`80`	`+]`