Clarification wrt URL-encoding - http-client stores URI elements already-encoded, so we don't need to encode them converting from Request but would need to for other user-supplied elements.
A few more types we'll need to generate the signature, timestamp of request and expiry. A request is valid (can be verified successfully) only from the signed timestamp, until the signed expiry (number of seconds after the timestamp). This was chosen with @markhibberd as a balance between likelihood of replay attacks and complexity (#6).
thumphries
commented
8 years ago
And a few associated bits:
http-clientstores URI elements already-encoded, so we don't need to encode them converting fromRequestbut would need to for other user-supplied elements.@erikd-ambiata @thumphries @charleso