sneak/pixa
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Implement HMAC-SHA256 signature generation and verification

Browse Source
This commit is contained in:
Jeffrey Paul
2026-01-08 03:02:09 -08:00
parent 2b0ccd6052
commit cc2c40bfbf
2 changed files with 434 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

139
internal/imgcache/signature.go Normal file
View File

@@ -0,0 +1,139 @@
package imgcache
import (
"crypto/hmac"
"crypto/sha256"
"encoding/base64"
"errors"
"fmt"
"strconv"
"time"
)
// Signature errors.
var (
ErrSignatureRequired = errors.New("signature required for non-whitelisted host")
ErrSignatureInvalid = errors.New("invalid signature")
ErrSignatureExpired = errors.New("signature has expired")
ErrMissingExpiration = errors.New("signature expiration is required")
)
// Signer handles HMAC-SHA256 signature generation and verification.
type Signer struct {
secretKey []byte
}
// NewSigner creates a new Signer with the given secret key.
func NewSigner(secretKey string) *Signer {
return &Signer{
secretKey: []byte(secretKey),
}
}
// Sign generates an HMAC-SHA256 signature for the given image request.
// The signature covers: host + path + query + width + height + format + expiration.
func (s *Signer) Sign(req *ImageRequest) string {
data := s.buildSignatureData(req)
mac := hmac.New(sha256.New, s.secretKey)
mac.Write([]byte(data))
sig := mac.Sum(nil)
return base64.URLEncoding.EncodeToString(sig)
}
// Verify checks if the signature on the request is valid and not expired.
func (s *Signer) Verify(req *ImageRequest) error {
// Check expiration first
if req.Expires.IsZero() {
return ErrMissingExpiration
}
if time.Now().After(req.Expires) {
return ErrSignatureExpired
}
// Compute expected signature
expected := s.Sign(req)
// Constant-time comparison to prevent timing attacks
if !hmac.Equal([]byte(req.Signature), []byte(expected)) {
return ErrSignatureInvalid
}
return nil
}
// buildSignatureData creates the string to be signed.
// Format: "host:path:query:width:height:format:expiration"
func (s *Signer) buildSignatureData(req *ImageRequest) string {
return fmt.Sprintf("%s:%s:%s:%d:%d:%s:%d",
req.SourceHost,
req.SourcePath,
req.SourceQuery,
req.Size.Width,
req.Size.Height,
req.Format,
req.Expires.Unix(),
)
}
// GenerateSignedURL creates a complete URL with signature and expiration.
// Returns the path portion that should be appended to the base URL.
func (s *Signer) GenerateSignedURL(req *ImageRequest, ttl time.Duration) (path string, sig string, exp int64) {
// Set expiration
req.Expires = time.Now().Add(ttl)
exp = req.Expires.Unix()
// Generate signature
sig = s.Sign(req)
req.Signature = sig
// Build the size component
var sizeStr string
if req.Size.OriginalSize() {
sizeStr = "orig"
} else {
sizeStr = fmt.Sprintf("%dx%d", req.Size.Width, req.Size.Height)
}
// Build the path
path = fmt.Sprintf("/v1/image/%s%s/%s.%s",
req.SourceHost,
req.SourcePath,
sizeStr,
req.Format,
)
// Append query if present
if req.SourceQuery != "" {
// The query goes before the size segment in our URL scheme
// So we need to rebuild the path
path = fmt.Sprintf("/v1/image/%s%s?%s/%s.%s",
req.SourceHost,
req.SourcePath,
req.SourceQuery,
sizeStr,
req.Format,
)
}
return path, sig, exp
}
// ParseSignatureParams extracts signature and expiration from query parameters.
func ParseSignatureParams(sig, expStr string) (signature string, expires time.Time, err error) {
signature = sig
if expStr == "" {
return signature, time.Time{}, nil
}
expUnix, err := strconv.ParseInt(expStr, 10, 64)
if err != nil {
return "", time.Time{}, fmt.Errorf("invalid expiration: %w", err)
}
expires = time.Unix(expUnix, 0)
return signature, expires, nil
}

295
internal/imgcache/signature_test.go Normal file
View File

@@ -0,0 +1,295 @@
package imgcache
import (
"testing"
"time"
)
func TestSigner_Sign(t *testing.T) {
signer := NewSigner("test-secret-key")
req := &ImageRequest{
SourceHost: "cdn.example.com",
SourcePath: "/photos/cat.jpg",
SourceQuery: "",
Size: Size{Width: 800, Height: 600},
Format: FormatWebP,
Expires: time.Unix(1704067200, 0), // Fixed timestamp for reproducibility
}
sig1 := signer.Sign(req)
sig2 := signer.Sign(req)
// Same input should produce same signature
if sig1 != sig2 {
t.Errorf("Sign() produced different signatures for same input: %q vs %q", sig1, sig2)
}
// Signature should be non-empty
if sig1 == "" {
t.Error("Sign() produced empty signature")
}
// Different input should produce different signature
req2 := &ImageRequest{
SourceHost: "cdn.example.com",
SourcePath: "/photos/dog.jpg", // Different path
SourceQuery: "",
Size: Size{Width: 800, Height: 600},
Format: FormatWebP,
Expires: time.Unix(1704067200, 0),
}
sig3 := signer.Sign(req2)
if sig1 == sig3 {
t.Error("Sign() produced same signature for different input")
}
}
func TestSigner_Verify(t *testing.T) {
signer := NewSigner("test-secret-key")
tests := []struct {
name string
setup func() *ImageRequest
wantErr error
}{
{
name: "valid signature",
setup: func() *ImageRequest {
req := &ImageRequest{
SourceHost: "cdn.example.com",
SourcePath: "/photos/cat.jpg",
Size: Size{Width: 800, Height: 600},
Format: FormatWebP,
Expires: time.Now().Add(1 * time.Hour),
}
req.Signature = signer.Sign(req)
return req
},
wantErr: nil,
},
{
name: "expired signature",
setup: func() *ImageRequest {
req := &ImageRequest{
SourceHost: "cdn.example.com",
SourcePath: "/photos/cat.jpg",
Size: Size{Width: 800, Height: 600},
Format: FormatWebP,
Expires: time.Now().Add(-1 * time.Hour), // Expired
}
req.Signature = signer.Sign(req)
return req
},
wantErr: ErrSignatureExpired,
},
{
name: "invalid signature",
setup: func() *ImageRequest {
return &ImageRequest{
SourceHost: "cdn.example.com",
SourcePath: "/photos/cat.jpg",
Size: Size{Width: 800, Height: 600},
Format: FormatWebP,
Expires: time.Now().Add(1 * time.Hour),
Signature: "invalid-signature",
}
},
wantErr: ErrSignatureInvalid,
},
{
name: "missing expiration",
setup: func() *ImageRequest {
return &ImageRequest{
SourceHost: "cdn.example.com",
SourcePath: "/photos/cat.jpg",
Size: Size{Width: 800, Height: 600},
Format: FormatWebP,
Signature: "some-signature",
// Expires is zero
}
},
wantErr: ErrMissingExpiration,
},
{
name: "tampered request",
setup: func() *ImageRequest {
req := &ImageRequest{
SourceHost: "cdn.example.com",
SourcePath: "/photos/cat.jpg",
Size: Size{Width: 800, Height: 600},
Format: FormatWebP,
Expires: time.Now().Add(1 * time.Hour),
}
req.Signature = signer.Sign(req)
// Tamper with the request
req.SourcePath = "/photos/secret.jpg"
return req
},
wantErr: ErrSignatureInvalid,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
req := tt.setup()
err := signer.Verify(req)
if tt.wantErr == nil {
if err != nil {
t.Errorf("Verify() unexpected error = %v", err)
}
} else {
if err != tt.wantErr {
t.Errorf("Verify() error = %v, wantErr %v", err, tt.wantErr)
}
}
})
}
}
func TestSigner_DifferentKeys(t *testing.T) {
signer1 := NewSigner("secret-key-1")
signer2 := NewSigner("secret-key-2")
req := &ImageRequest{
SourceHost: "cdn.example.com",
SourcePath: "/photos/cat.jpg",
Size: Size{Width: 800, Height: 600},
Format: FormatWebP,
Expires: time.Now().Add(1 * time.Hour),
}
// Sign with key 1
req.Signature = signer1.Sign(req)
// Verify with key 1 should succeed
if err := signer1.Verify(req); err != nil {
t.Errorf("Verify() with same key failed: %v", err)
}
// Verify with key 2 should fail
if err := signer2.Verify(req); err != ErrSignatureInvalid {
t.Errorf("Verify() with different key should fail, got: %v", err)
}
}
func TestGenerateSignedURL(t *testing.T) {
signer := NewSigner("test-secret-key")
req := &ImageRequest{
SourceHost: "cdn.example.com",
SourcePath: "/photos/cat.jpg",
SourceQuery: "",
Size: Size{Width: 800, Height: 600},
Format: FormatWebP,
}
ttl := 1 * time.Hour
path, sig, exp := signer.GenerateSignedURL(req, ttl)
// Path should be correct format
expectedPath := "/v1/image/cdn.example.com/photos/cat.jpg/800x600.webp"
if path != expectedPath {
t.Errorf("GenerateSignedURL() path = %q, want %q", path, expectedPath)
}
// Signature should be non-empty
if sig == "" {
t.Error("GenerateSignedURL() produced empty signature")
}
// Expiration should be approximately now + TTL
expTime := time.Unix(exp, 0)
expectedExp := time.Now().Add(ttl)
if expTime.Sub(expectedExp) > time.Second {
t.Errorf("GenerateSignedURL() exp time off by too much")
}
// Request should have been updated with signature and expiration
if req.Signature != sig {
t.Errorf("GenerateSignedURL() didn't update request signature")
}
}
func TestGenerateSignedURL_OrigSize(t *testing.T) {
signer := NewSigner("test-secret-key")
req := &ImageRequest{
SourceHost: "cdn.example.com",
SourcePath: "/photos/cat.jpg",
Size: Size{Width: 0, Height: 0}, // Original size
Format: FormatPNG,
}
path, _, _ := signer.GenerateSignedURL(req, time.Hour)
expectedPath := "/v1/image/cdn.example.com/photos/cat.jpg/orig.png"
if path != expectedPath {
t.Errorf("GenerateSignedURL() path = %q, want %q", path, expectedPath)
}
}
func TestParseSignatureParams(t *testing.T) {
tests := []struct {
name string
sig string
expStr string
wantSig string
wantErr bool
checkTime bool
}{
{
name: "valid params",
sig: "abc123",
expStr: "1704067200",
wantSig: "abc123",
wantErr: false,
},
{
name: "empty expiration",
sig: "abc123",
expStr: "",
wantSig: "abc123",
wantErr: false,
},
{
name: "invalid expiration",
sig: "abc123",
expStr: "not-a-number",
wantErr: true,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
sig, exp, err := ParseSignatureParams(tt.sig, tt.expStr)
if tt.wantErr {
if err == nil {
t.Error("ParseSignatureParams() expected error, got nil")
}
return
}
if err != nil {
t.Errorf("ParseSignatureParams() unexpected error = %v", err)
return
}
if sig != tt.wantSig {
t.Errorf("sig = %q, want %q", sig, tt.wantSig)
}
if tt.expStr != "" && exp.IsZero() {
t.Error("exp should not be zero when expStr is provided")
}
})
}
}