Open kravchenkoa opened 2 years ago
Binance uses HMAC SHA256 passed in query string or request body. They also require timestamp and recvWindow, but those can be handled by map.
Another provider requiring requests signing, as mentioned by @freaz, is AWS.
@jnv AWS request signing is different, this is quiet simple payload signiture, which could be done in map (if stdlib with crypto would be available). compared to https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
Unfortunately neither is them is really standardized.
I see. Personally I would prefer if requests signing were, in general, handled as a security scheme, but I am not sure whether it is possible to generalize this across many providers. But exposing relevant crypto functions in map would cover both Binance and AWS needs - or not?
Another case is with 2Checkout API. In this case, though, the authentication could be handled inside the map, since it doesn't work with the payload:
X-Avangate-Authentication: code="{VENDOR_CODE}" date="{REQUEST_DATE_TIME}" hash="{HASH}"
VENDOR_CODE
: Your unique 2Checkout supplied merchant code.REQUEST_DATE_TIME
: The UTC date time of the request. Format:YYYY-MM-DD HH:MM:SS
. You must provide the time of the request in the GMT timezone.HASH
: The hashmac digest with an md5 hashing algorithm of the following:LEN(VENDOR_CODE) + VENDOR_CODE + LEN(REQUEST_DATE_TIME) + REQUEST_DATE_TIME
. Use the secret key associated with your account for the hashing.
So what we are missing in map for this is MD5 HMAC digest. Moreover, getting the current datetime in this format will be a PITA, but it can be done with some ugly string manipulation.
Some API endpoints have secuirty from request signing e.g. wallet information on binance - https://api.binance.com/sapi/v1/capital/config/getall
Information about signed endpoint security: https://binance-docs.github.io/apidocs/spot/en/#signed-trade-user_data-and-margin-endpoint-security
Expected Behavior
Request signing should be supported
Current Behavior
Request signing is not supported
Possible Solution
Implement request signing and other common security mechanisms