Document Cloud request signing#776
Conversation
✅ Deploy Preview for craft-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
timkelty
changed the title
|
|
||
| External systems can generate valid signatures for a Craft Cloud environment, given the corresponding `$CRAFT_CLOUD_SIGNING_KEY`. | ||
|
|
||
| Signatures expire after 5 minutes when verified by the Craft Cloud gateway. Set `expires` about 5 minutes after `created`. |
There was a problem hiding this comment.
Is the recommendation then to just avoid reusing/retrying any signed URLs, in case they were consumed by the gateway and/or have expired?
Is a URL valid for five minutes from signing, or does that timer count down from its first use (as far as the gateway is aware)?
There was a problem hiding this comment.
Is the recommendation then to just avoid reusing/retrying any signed URLs, in case they were consumed by the gateway and/or have expired?
In general, yes. They are expected to be signed and used at request time.
Is a URL valid for five minutes from signing, or does that timer count down from its first use (as far as the gateway is aware)?
From the created timestamp of the signature. Nothing special we're doing here, just standard http sig: https://www.rfc-editor.org/rfc/rfc9421.html#section-3.2.1-3.2
There was a problem hiding this comment.
Should just lose the "Set expires about 5 minutes after created.".
| const result = await response.json(); | ||
| ``` | ||
|
|
||
| Store the signing key in the external system’s secret manager. The `@target-uri` value must match the requested URL exactly, including any query string. |
There was a problem hiding this comment.
Just so I'm clear… our example satisfies this @target-uri requirement because we're sharing the url variable between the signing routine and the fetch() call?
2 participants
Documents how trusted automation can sign requests to Craft Cloud and avoid bot-specific rate limits.