You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Release v0.6.0 for web-bot-auth crates (cloudflare#68)
* Make `@authority;req` errors more prominent + fix example signature
generation
This change amends the `http-signature-dir` to print an error log
whendirectories mistakenly sign `@authority` without the `req`
parameter.
It fixes a bug with the example signature agent card generation where
only the host component was used to sign `@authority`, rather than the
full host and port pair (i.e. the _actual_ authority component). This
led to verifiers being unable to verify generated signatures.
It fixes some minor comments and superfluous Github Actions changes,
and does some basic refactoring to make the logic a bit more
straightforward in the example. Importantly, it also adds the
`alg` parameter in generated signatures - this is in line with the
opinionated signing we do, whereby other elements normal to web bot auth
are also enforced for arbitrary HTTP signatures.
* Release v0.6.0 of web-bot-auth crates
These include some pretty significant and breaking changes:
1. Dependency on `time` library is now required instead of `std::time`
for all API users. As a bonus, however, we gain support on Cloudflare
Workers as well as removal of a class of errors related to system
clocks and `created` / `expires` parsing.
2. A number of constructs were removed: `WebBotAuthSignedMessage`,
`SignedMessage::fetch_all_signature_headers` and
`SignedMessage::fetch_all_signature_inputs`. The library now exposes
a single method to look up components to verify.
3. `Signature-Agent` can now be parsed as a dictionary, but retains
support for being parsed as a raw string.
4. It enforces use of `req` parameter in `http-message-dir`. This is in
line with the specification, but can break verification of existing
sites.
I also removed the pin to Rust v1.87 in the Github Actions handler. This
ensures we're building against the latest available Rust version.
|[Cloudflare Workers](./examples/signature-agent-card-and-registry)| Host a signature directory on Cloudflare Workers, using the [signature agent card and registry](https://datatracker.ietf.org/doc/draft-meunier-webbotauth-registry/) format |
47
+
42
48
## Development
43
49
44
50
This repository uses [npm](https://docs.npmjs.com/cli/v11/using-npm/workspaces) and [cargo](https://doc.rust-lang.org/book/ch14-03-cargo-workspaces.html) workspaces. There are several packages which it provides:
"You are signing a plain `@authority` without the `req` component parameter. Fix by signing with `req` so that Signature-Input uses `\"@authority\";req` instead",
0 commit comments