You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Demonstrate hosting signature agent card and registry on Cloudflare Workers (cloudflare#65)
* Support Workers with `time` crate instead of `std::time`
Cloudflare Workers does not expose a system clock. This isn't caught by
our Github compilation tests because `std::time` compiles in
`wasm32-unknown-unknown` just fine, but throws a runtime panic in that
environment.
The standard advice is to use `time` crate instead per public Cloudflare
documentation with `wasm-bindgen` feature enabled. The main difference
is that calls to `SystemTime::now()` and `Instant::elapsed()`, both of
which require a running clock, have now been replaced with
`UtcTimeOffset::now()` and raw `time::Duration` calculations. As a nice
side effect, we can also remove an entire category of errors thrown by
`std::time` from those thrown by `web-bot-auth`.
* Create an example of how to host a signature agent card and a registry
on Cloudflare workers
This change adds a single Worker that:
1. Generates a brand new SAC and persists it in Workers KV, accessible
on visiting a message directory.
2. Generates a registry linking to that SAC.
It is set up in such a way that attaching multiple custom routes will
automatically expand the number of registry items - for example, every
new subdomain will trigger a new SAC. This makes it useful for e.g.
end-to-end tests.
* Fix registry and http-signature-directory to work with spec
The registry should point to `/well-known/http-message-signature` path, not
just the domain of the host. This change amends that.
`http-signature-directory` has been assuming responses from the
directory will be signed with just the `@authority` component - however, this
is wrong, both per the spec and logically. The correct component should
be `"@authority";req`, indicating that the response is signing the
derived component from the request. This change adds a log line to the
same.
It also adds a better error message for the case when signature
verification fails. This is based on real challenges experienced by the
community e.g. in https://community.cloudflare.com/t/web-bot-auth-signature-validation-failure/854577
during parsing.
* fixup! Fix registry and http-signature-directory to work with spec
0 commit comments