feat: validate directories from verification page#83
Conversation
| return response.json(); | ||
| } | ||
|
|
||
| function validateDirectory(directory: unknown): string[] { |
There was a problem hiding this comment.
validateDirectory and validDirectoryURL are validating something different than what #37 is expecting, alas.
To be a valid directory, it should implement all the checks the http-signature-directory crate is doing today. There are some critical missing ones today:
Content-Typeheader matches what's expected- It should parse
Signature-InputandSignatureheaders appropriately, then check if performing a WBA verification againstSignaturepasses for every key listed in the key set returned by the directory. This can be accomplished using the existing Typescript packages. - It should ensure
Signature-Inputcontains the right components, specifically@authorityand the righttag. - It should verify that the Signature isn't expired.
The reference crate only supports Ed25519, but the Typescript packages in this repository support multiple. You should utilise it to implement what you need.
| } | ||
| } | ||
|
|
||
| if (typeof value.purpose !== "string" || value.purpose.length === 0) { |
There was a problem hiding this comment.
I don't think purpose is required by the JSON web key set format described in the RFC for signature directories, so you can drop this check.
|
Thanks @AkshatM. Two follow-ups:
Let me know if you'd prefer this scoped here or split into a follow-up PR — happy to do either. |
Scoped here is sufficient. |
thibmeu
left a comment
thibmeu
left a comment
There was a problem hiding this comment.
thanks for the PR @MukundaKatta
i worry about the introduced DoS vector this introduces, by allowing a proxy to fetch arbitrary URLs. Specifically, the tricky part is fetching arbitrary URLs, mentioned #37 (comment), which this is essentially proposing
having a simpler design requesting a captcha pass (like turnstile) and light validation on the proxying side, while the browsre performes the actual check
maybe so we can tune the design: is your use case local validation in a browser, an API that you can hit, something else?
| ); | ||
| } | ||
|
|
||
| const response = await fetch(parsed); |
There was a problem hiding this comment.
this is an arbitrary fetch, which creates a DoS vector
…lare#37 Address @AkshatM's review feedback by aligning the worker's directory validator with the http-signature-directory crate's checks: - Content-Type must start with 'application/http-message-signatures-directory+json' (per crates/http-signature-directory/src/main.rs) - drop the 'purpose' check — not required by the JWKS shape in the HTTP Message Signatures directory RFC - cap the response body at 64 KB to remove the DoS amplification vector AkshatM flagged on the arbitrary fetch - cryptographically verify the response signature against *every* key in the JWKS via the existing 'verify()' helper from web-bot-auth. The verify() callback enforces: * tag === 'web-bot-auth' (built-in) * signature freshness via the created/expires window (built-in) * Ed25519 signature against the imported JWK (per-key) Per the reference crate, a single key passing isn't sufficient — every listed key must verify. - request the directory as a ResponseRequestPair so '@authority;req' can resolve from the request side when the signature covers it. Multi-kty support is staged behind 'kty === "OKP"'; non-Ed25519 keys fail with a clear error rather than silently importing as the wrong algorithm. The reference crate is also Ed25519-only today, so this matches behaviour. Adding RSA/EC support is a separate change.
|
Pushed
Also dropped the Multi-kty: gated behind The pre-existing tsc error at |
3 participants
Fixes #37.
Adds a Worker-backed directory validator to the verification website:
Validation: