Harden request/response Pub/Sub envelopes with HMAC verification by twisti-dev · Pull Request #54 · SLNE-Development/surf-redis

twisti-dev · 2026-05-07T08:40:45Z

The RequestResponseBus previously used global Redis Pub/Sub channels and first-response-wins by UUID without authenticating senders, allowing any Redis Pub/Sub participant with access to forge responses and win races.
The intent of this change is to add lightweight message authentication so only nodes that share a secret can produce valid request/response envelopes, preventing unauthenticated forgery while preserving the existing request/response semantics.

Add HMAC-SHA256 utilities and require the SURF_REDIS_REQUEST_HMAC_KEY environment variable as the shared secret for envelope signing.
Extend RequestEnvelope and ResponseEnvelope with a signature field and compute signatures when publishing requests and responses.
Verify envelope signatures in handleIncomingRequest and handleIncomingResponse and reject messages with invalid signatures before processing.
Preserve existing UUID correlation, request/response flow, timeout handling, and handler dispatch logic.

Ran ./gradlew :surf-redis-core:compileKotlin -x test, which failed in this environment because the build requires a newer JVM (dependency resolution requires Java 25 while the container has Java 21).
No automated unit or integration tests completed due to the environment's build/tooling constraints, so runtime verification should be performed in CI or a local environment with the required JDK and SURF_REDIS_REQUEST_HMAC_KEY set.

Harden request/response bus with HMAC envelope validation

334dccc

twisti-dev added codex aardvark labels May 7, 2026 — with ChatGPT Codex Connector

twisti-dev added the codex label May 7, 2026

Provide feedback