The digest header is validated if the client chooses to include it, but the verify method does not require it, and even when it is present, there's nothing to check that the digest actually matches the body of the request.

This now happens automatically (for the Content-Digest header) and is released in v0.4.0, along with passing required components to HTTPSignatureAuth.verify.