Sign auth HMAC over request bodies

benthecarman · benthecarman · commit 819bed81a3dd · 2026-05-12T16:25:14.000-05:00
Require authenticated gRPC requests to bind the HMAC to both the timestamp and the request body. This prevents a valid header from being replayed with different request contents during the allowed timestamp window.

Update the client and docs so callers generate signatures that match the new server contract.
diff --git a/docs/api-guide.md b/docs/api-guide.md
@@ -24,9 +24,12 @@ x-auth: HMAC <unix_timestamp>:<hmac_hex>
 Where:
 
 - `unix_timestamp` is the current time in seconds since the Unix epoch
-- `hmac_hex` is the hex-encoded result of `HMAC-SHA256(api_key_bytes, timestamp_be_bytes)`
+- `hmac_hex` is the hex-encoded result of
+  `HMAC-SHA256(api_key_bytes, timestamp_be_bytes || grpc_request_body_bytes)`
     - `api_key_bytes` is the API key string encoded as UTF-8 bytes
     - `timestamp_be_bytes` is the timestamp as a big-endian 8-byte unsigned integer
+    - `grpc_request_body_bytes` is the raw gRPC request body sent over HTTP/2, including
+      the 5-byte gRPC message frame
 
 The server rejects requests where the timestamp differs from the server's clock by more than
 **60 seconds**.
diff --git a/ldk-server-client/README.md b/ldk-server-client/README.md
@@ -30,7 +30,8 @@ println!("Node ID: {}", info.node_id);
 
 The client handles HMAC-SHA256 authentication automatically. Pass the hex-encoded API key
 (found at `<storage_dir>/<network>/api_key`) and the server's TLS certificate (found at
-`<storage_dir>/tls.crt`).
+`<storage_dir>/tls.crt`). Each request signature covers both the timestamp and the raw gRPC
+request body bytes.
 
 ## Event Streaming
 
diff --git a/ldk-server-client/src/client.rs b/ldk-server-client/src/client.rs
@@ -106,16 +106,16 @@ impl LdkServerClient {
 
 	/// Computes the HMAC-SHA256 authentication header value.
 	/// Format: "HMAC <timestamp>:<hmac_hex>"
-	/// Uses timestamp-only HMAC (no body) since TLS guarantees integrity.
-	fn compute_auth_header(&self) -> String {
+	/// The signature covers the timestamp and raw gRPC request body bytes.
+	fn compute_auth_header(&self, body: &[u8]) -> String {
 		let timestamp = SystemTime::now()
 			.duration_since(UNIX_EPOCH)
 			.expect("System time should be after Unix epoch")
 			.as_secs();
 
-		// HMAC-SHA256(api_key, timestamp_bytes) — no body
 		let mut hmac_engine: HmacEngine<sha256::Hash> = HmacEngine::new(self.api_key.as_bytes());
 		hmac_engine.input(&timestamp.to_be_bytes());
+		hmac_engine.input(body);
 		let hmac_result = Hmac::<sha256::Hash>::from_engine(hmac_engine);
 
 		format!("HMAC {}:{}", timestamp, hmac_result)
@@ -428,7 +428,7 @@ impl LdkServerClient {
 		let grpc_body = encode_grpc_frame(&request.encode_to_vec()).to_vec();
 
 		let url = format!("https://{}{}{}", self.base_url, GRPC_SERVICE_PREFIX, method);
-		let auth_header = self.compute_auth_header();
+		let auth_header = self.compute_auth_header(&grpc_body);
 
 		let response = self
 			.client
@@ -471,7 +471,7 @@ impl LdkServerClient {
 		let grpc_body = encode_grpc_frame(&request.encode_to_vec()).to_vec();
 
 		let url = format!("https://{}{}{}", self.base_url, GRPC_SERVICE_PREFIX, method);
-		let auth_header = self.compute_auth_header();
+		let auth_header = self.compute_auth_header(&grpc_body);
 
 		let response = self
 			.streaming_client
diff --git a/ldk-server/src/service.rs b/ldk-server/src/service.rs
