kjg
commented
7 years ago When using ApiAuth on the client side to sign a request, ApiAuth will calculate the md5 of the body and add it to the Content-MD5 header.
On the server side, when using ApiAuth to verify a request, ApiAuth will read the value out of the header (as you mentioned), and compare that to the value it calculates for the body received.
However, yes it is true that if a client singing a request does not include a value in the md5 header, (and also doesn't use it as part of the canonical string when calculating a signature), then the server side will not consider this an md5 mismatch, and will not construct the server side canonical string with the server side calculated md5 of the body.
I feel that this provides the most flexibility by allowing clients to skip the md5 calculation if they wish and not penalizing them for it by calling the request invalid, but does in fact calculate it and use it by default if they are using ApiAuth to do the signing.
Does this make sense and better align with your expectations than originally thought?
c0ze
I've recently added api-auth to my grape application, and trying to tweak it to my use case.
One thing I've noticed is that when authenticating requests, api-auth doesn't really make any attempt to calculate md5. It seems to read it from a header.
https://github.com/mgomes/api_auth/blob/master/lib/api_auth/request_drivers/action_controller.rb#L50
This makes the content md5 in the canon string rather redundant. You can get away with not including it and skip the content md5 header. IMHO, api-auth should calculate md5 itself and use it in the canonical string to verify HMAC signature.
is this intended behaviour ?