net.http.signature: strip default ports from @authority per RFC 9421 §2.2.3

Author: davlgd

vlib/net/http/signature/components.v

@@ -66,7 +66,7 @@ fn (c Components) derived_value(name string) !string {
 		}
 		'@authority' {
 			if a := c.authority {
-				a.to_lower()
+				normalize_authority(a, c.scheme)
 			} else {
 				return missing(name)
 			}
@@ -134,6 +134,39 @@ fn missing(name string) IError {
 	}
 }
 
+// normalize_authority lowercases the authority and strips the port when
+// it equals the URI scheme's default (RFC 9421 §2.2.3 + RFC 9110 §4.2.3).
+// Without this, peers that emit `example.com` and peers that emit
+// `example.com:443` produce different signature bases for the same
+// resource and fail to interoperate.
+fn normalize_authority(authority string, scheme ?string) string {
+	lower := authority.to_lower()
+	port_colon := find_port_colon(lower) or { return lower }
+	port := lower[port_colon + 1..]
+	scheme_lower := if s := scheme { s.to_lower() } else { '' }
+	if (scheme_lower == 'https' && port == '443')
+		|| (scheme_lower == 'http' && port == '80') {
+		return lower[..port_colon]
+	}
+	return lower
+}
+
+// find_port_colon returns the index of the ':' that separates the port
+// in an authority, or `none` if no port is present. IPv6 literals embed
+// colons inside `[...]`; the port colon (if any) is the one immediately
+// following the closing bracket.
+fn find_port_colon(authority string) ?int {
+	if authority.starts_with('[') {
+		bracket := authority.index(']') or { return none }
+		if bracket + 1 < authority.len && authority[bracket + 1] == `:` {
+			return bracket + 1
+		}
+		return none
+	}
+	colon := authority.last_index(':') or { return none }
+	return colon
+}
+
 // trim_ows removes leading/trailing OWS (RFC 7230 §3.2.3 - SP and
 // HTAB). RFC 9421 §2.1 step 3 mandates this trim before signing.
 fn trim_ows(s string) string {

vlib/net/http/signature/components_test.v

@@ -0,0 +1,76 @@
+// Tests for derived component canonicalization rules from RFC 9421 §2.2.
+module signature
+
+fn test_authority_strips_default_https_port() {
+	c := Components{
+		authority: 'Example.com:443'
+		scheme:    'https'
+	}
+	assert c.derived_value('@authority')! == 'example.com'
+}
+
+fn test_authority_strips_default_http_port() {
+	c := Components{
+		authority: 'example.com:80'
+		scheme:    'http'
+	}
+	assert c.derived_value('@authority')! == 'example.com'
+}
+
+fn test_authority_keeps_non_default_port() {
+	c := Components{
+		authority: 'example.com:8443'
+		scheme:    'https'
+	}
+	assert c.derived_value('@authority')! == 'example.com:8443'
+}
+
+fn test_authority_does_not_strip_when_scheme_mismatched() {
+	// :80 with https scheme is *not* the default, so it must stay.
+	c := Components{
+		authority: 'example.com:80'
+		scheme:    'https'
+	}
+	assert c.derived_value('@authority')! == 'example.com:80'
+}
+
+fn test_authority_no_port_unchanged() {
+	c := Components{
+		authority: 'Example.COM'
+		scheme:    'https'
+	}
+	assert c.derived_value('@authority')! == 'example.com'
+}
+
+fn test_authority_ipv6_strips_default_port() {
+	c := Components{
+		authority: '[2001:db8::1]:443'
+		scheme:    'https'
+	}
+	assert c.derived_value('@authority')! == '[2001:db8::1]'
+}
+
+fn test_authority_ipv6_keeps_non_default_port() {
+	c := Components{
+		authority: '[2001:db8::1]:8443'
+		scheme:    'https'
+	}
+	assert c.derived_value('@authority')! == '[2001:db8::1]:8443'
+}
+
+fn test_authority_ipv6_no_port_unchanged() {
+	c := Components{
+		authority: '[2001:db8::1]'
+		scheme:    'https'
+	}
+	assert c.derived_value('@authority')! == '[2001:db8::1]'
+}
+
+fn test_authority_no_scheme_keeps_port() {
+	// Without a scheme we cannot know which port is the default, so
+	// the port is preserved.
+	c := Components{
+		authority: 'example.com:443'
+	}
+	assert c.derived_value('@authority')! == 'example.com:443'
+}