Giters

interledger / rafiki

An open-source, comprehensive Interledger service for wallet providers, enabling them to provide Interledger functionality to their users.

Home Page:https://rafiki.dev/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Secure Admin API with HMAC signature

njlie opened this issue · comments

commented

Context

To follow established patterns in other services and use a low-overhead solution, it has been decided to secure the Admin API with an HMAC signature, using a shared secret between it and ASEs/the Admin UI.

Signature generation can be duplicated from:

rafiki/packages/backend/src/webhook/service.ts

Lines 218 to 235 in 5c0ee4b

export function generateWebhookSignature(
event: EventPayload,
secret: string,
version: number
): string {
const timestamp = Math.round(new Date().getTime() / 1000)
const payload = `${timestamp}.${canonicalize({
id: event.id,
type: event.type,
data: event.data
})}`
const hmac = createHmac('sha256', secret)
hmac.update(payload)
const digest = hmac.digest('hex')
return `t=${timestamp}, v${version}=${digest}`
}

Todos

  • Add HMAC signature verification to backend
  • Add shared secrets to backend, mock-ase, and frontend
  • Add signature generation to mock-ase and frontend
  • Add signature generation to integration tests