net.http.signature: reconstruct absolute @target-uri for origin-form requests

davlgd · davlgd · commit f3e774df1b8d · 2026-05-08T14:26:11.000+02:00
diff --git a/vlib/net/http/signature/http_message.v b/vlib/net/http/signature/http_message.v
@@ -27,6 +27,12 @@ pub:
 	// the wire. Most signers leave it off (the verifier looks the alg
 	// up by `keyid`); set to true for explicit signalling.
 	include_alg bool
+	// scheme is used to reconstruct `@target-uri` and `@scheme` when
+	// `req.url` is origin-form (e.g. `/foo`, as produced by
+	// `http.parse_request*`). The default matches the common signing
+	// scenario (TLS-protected APIs). Ignored when `req.url` already
+	// carries a scheme.
+	scheme string = 'https'
 }
 
 // sign_request signs an HTTP request in place by appending the
@@ -39,7 +45,7 @@ pub:
 // RFC 9421 §7.2.1 RECOMMENDS the parameter for replay protection.
 // Pass an explicit `created: 0` only if you know you don't want it.
 pub fn sign_request(mut req http.Request, key Key, opts SignRequestOptions) ! {
-	c := request_components(req)!
+	c := request_components(req, opts.scheme)!
 	mut comps := opts.components.clone()
 	if comps.len == 0 {
 		comps = default_request_components(req)
@@ -69,14 +75,18 @@ pub struct VerifyRequestOptions {
 pub:
 	label    string
 	now_unix i64
+	// scheme — see SignRequestOptions.scheme. Both ends of the
+	// signature must agree on the scheme used to reconstruct the
+	// target URI, otherwise the signature bases differ.
+	scheme string = 'https'
 }
 
 // verify_request verifies a labelled signature on an HTTP request. If
 // `opts.label` is empty and exactly one signature is present, that
 // one is checked. If `opts.now_unix > 0`, the `expires` parameter is
 // also enforced.
 pub fn verify_request(req http.Request, key Key, opts VerifyRequestOptions) ! {
-	c := request_components(req)!
+	c := request_components(req, opts.scheme)!
 	sig_input := merged_dict_field(req.header, 'Signature-Input') or {
 		return MalformedMessage{
 			reason: 'request has no Signature-Input header'
@@ -180,14 +190,13 @@ fn merged_dict_field(h http.Header, name string) ?string {
 }
 
 // request_components extracts the derived-component values from an
-// http.Request. The url field is parsed once; if it is not a valid
-// URL we surface a typed error rather than silently dropping
-// components that depend on it (@scheme, @authority, @path, @query).
-fn request_components(req http.Request) !Components {
-	mut c := Components{
-		method:     req.method.str()
-		target_uri: req.url
-	}
+// http.Request. `default_scheme` is used when `req.url` is in
+// origin-form (e.g. `/foo?bar=1`, as produced by `http.parse_request*`
+// for inbound HTTP/1.1 messages); in that case `@target-uri` is
+// reconstructed as `<scheme>://<authority><url>` per RFC 9110 §7.1.
+// If `req.url` is not a valid URL we surface a typed error rather
+// than silently dropping components that depend on it.
+fn request_components(req http.Request, default_scheme string) !Components {
 	parsed := urllib.parse(req.url) or {
 		return MalformedMessage{
 			reason: 'request url "${req.url}" is not a valid URL: ${err.msg()}'
@@ -198,11 +207,21 @@ fn request_components(req http.Request) !Components {
 	} else {
 		req.host
 	}
+	scheme := if parsed.scheme != '' { parsed.scheme } else { default_scheme }
+	mut c := Components{
+		method: req.method.str()
+	}
+	is_origin_form := req.url.starts_with('/')
+	c.target_uri = if is_origin_form && authority != '' {
+		'${scheme}://${authority}${req.url}'
+	} else {
+		req.url
+	}
 	if authority != '' {
 		c.authority = authority
 	}
-	if parsed.scheme != '' {
-		c.scheme = parsed.scheme
+	if scheme != '' {
+		c.scheme = scheme
 	}
 	if parsed.path != '' {
 		c.path = parsed.path
diff --git a/vlib/net/http/signature/http_message_test.v b/vlib/net/http/signature/http_message_test.v
@@ -140,6 +140,65 @@ fn test_verify_request_rejects_expired_signature() {
 	verify_request(req, key)!
 }
 
+fn test_origin_form_request_target_uri_reconstructed() {
+	// Inbound HTTP/1.1 requests parsed by `http.parse_request*` carry
+	// the request target verbatim (`/foo?bar=1`), not an absolute URI.
+	// `request_components` must rebuild `<scheme>://<authority><url>`
+	// so the verifier sees the same `@target-uri` as a peer that signs
+	// with an absolute URL.
+	mut signing_req := http.Request{
+		method: .post
+		url:    'https://example.com/foo?bar=1'
+	}
+	signing_req.header.add_custom('Host', 'example.com')!
+	key := Key.hmac_sha256(test_secret.bytes())
+	sign_request(mut signing_req, key,
+		components: ['@method', '@target-uri']
+		created:    1
+	)!
+
+	// Receiver side: same request as it would land after parsing.
+	mut received := http.Request{
+		method: .post
+		url:    '/foo?bar=1'
+		host:   'example.com'
+	}
+	for k in signing_req.header.keys() {
+		for v in signing_req.header.custom_values(k) {
+			received.header.add_custom(k, v)!
+		}
+	}
+	verify_request(received, key)!
+}
+
+fn test_origin_form_uses_explicit_scheme() {
+	// HTTP-only deployment: caller must pass `scheme: 'http'` so both
+	// sides agree on the reconstructed target URI.
+	mut signing_req := http.Request{
+		method: .get
+		url:    'http://api.example.com/v1/items'
+	}
+	signing_req.header.add_custom('Host', 'api.example.com')!
+	key := Key.hmac_sha256(test_secret.bytes())
+	sign_request(mut signing_req, key,
+		components: ['@method', '@target-uri']
+		created:    1
+		scheme:     'http'
+	)!
+
+	mut received := http.Request{
+		method: .get
+		url:    '/v1/items'
+		host:   'api.example.com'
+	}
+	for k in signing_req.header.keys() {
+		for v in signing_req.header.custom_values(k) {
+			received.header.add_custom(k, v)!
+		}
+	}
+	verify_request(received, key, scheme: 'http')!
+}
+
 fn test_sign_two_signatures_coexist() {
 	mut req := build_request('https://example.com/foo')
 	k1 := Key.hmac_sha256('one'.bytes())
