Documentation
¶
Overview ¶
Package hmacutil provides shared HMAC-SHA256 signing and verification utilities for Proxy A ↔ Proxy B communication.
Signature format:
HMAC-SHA256(secret, "METHOD\nPATH?QUERY\nTIMESTAMP\nBODY")
where TIMESTAMP is a Unix epoch in seconds (string), and BODY is the raw request body (may be empty). The resulting signature is sent as the X-Hub-Signature-256 header ("sha256=<hex>"), and the timestamp is sent separately as the X-Timestamp header.
Timestamp validation rejects requests whose timestamp deviates by more than MaxTimestampSkew from the server clock, preventing replay attacks.
Index ¶
Constants ¶
const ( // TimestampHeader is the HTTP header name for the Unix timestamp included in signing. TimestampHeader = "X-Timestamp" // MaxTimestampSkew is the maximum allowed difference between the timestamp in the // request and the server's current time. Requests outside this window are rejected. MaxTimestampSkew = 5 * time.Minute )
Variables ¶
This section is empty.
Functions ¶
func BuildMessage ¶
BuildMessage constructs the canonical signing message in the form:
METHOD\nPATH?QUERY\nTIMESTAMP\nBODY
pathWithQuery should be the full request URI including query string (e.g. "/api/v1/sessions?user_id=alice"). body may be nil or empty.
func NowTimestamp ¶
func NowTimestamp() string
NowTimestamp returns the current Unix epoch as a decimal string.
func ValidateTimestamp ¶
ValidateTimestamp parses ts as a Unix epoch (decimal string) and verifies that it falls within ±MaxTimestampSkew of the current time.
If ts is empty, the function returns an error – callers that need backward compatibility should handle the empty-string case themselves before calling ValidateTimestamp.
Types ¶
This section is empty.
Source Files