Implement HMAC-SHA256 signature generation and verification

internal/imgcache/signature.go

@@ -0,0 +1,139 @@
+package imgcache
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"strconv"
+	"time"
+)
+
+// Signature errors.
+var (
+	ErrSignatureRequired = errors.New("signature required for non-whitelisted host")
+	ErrSignatureInvalid  = errors.New("invalid signature")
+	ErrSignatureExpired  = errors.New("signature has expired")
+	ErrMissingExpiration = errors.New("signature expiration is required")
+)
+
+// Signer handles HMAC-SHA256 signature generation and verification.
+type Signer struct {
+	secretKey []byte
+}
+
+// NewSigner creates a new Signer with the given secret key.
+func NewSigner(secretKey string) *Signer {
+	return &Signer{
+		secretKey: []byte(secretKey),
+	}
+}
+
+// Sign generates an HMAC-SHA256 signature for the given image request.
+// The signature covers: host + path + query + width + height + format + expiration.
+func (s *Signer) Sign(req *ImageRequest) string {
+	data := s.buildSignatureData(req)
+	mac := hmac.New(sha256.New, s.secretKey)
+	mac.Write([]byte(data))
+	sig := mac.Sum(nil)
+
+	return base64.URLEncoding.EncodeToString(sig)
+}
+
+// Verify checks if the signature on the request is valid and not expired.
+func (s *Signer) Verify(req *ImageRequest) error {
+	// Check expiration first
+	if req.Expires.IsZero() {
+		return ErrMissingExpiration
+	}
+
+	if time.Now().After(req.Expires) {
+		return ErrSignatureExpired
+	}
+
+	// Compute expected signature
+	expected := s.Sign(req)
+
+	// Constant-time comparison to prevent timing attacks
+	if !hmac.Equal([]byte(req.Signature), []byte(expected)) {
+		return ErrSignatureInvalid
+	}
+
+	return nil
+}
+
+// buildSignatureData creates the string to be signed.
+// Format: "host:path:query:width:height:format:expiration"
+func (s *Signer) buildSignatureData(req *ImageRequest) string {
+	return fmt.Sprintf("%s:%s:%s:%d:%d:%s:%d",
+		req.SourceHost,
+		req.SourcePath,
+		req.SourceQuery,
+		req.Size.Width,
+		req.Size.Height,
+		req.Format,
+		req.Expires.Unix(),
+	)
+}
+
+// GenerateSignedURL creates a complete URL with signature and expiration.
+// Returns the path portion that should be appended to the base URL.
+func (s *Signer) GenerateSignedURL(req *ImageRequest, ttl time.Duration) (path string, sig string, exp int64) {
+	// Set expiration
+	req.Expires = time.Now().Add(ttl)
+	exp = req.Expires.Unix()
+
+	// Generate signature
+	sig = s.Sign(req)
+	req.Signature = sig
+
+	// Build the size component
+	var sizeStr string
+	if req.Size.OriginalSize() {
+		sizeStr = "orig"
+	} else {
+		sizeStr = fmt.Sprintf("%dx%d", req.Size.Width, req.Size.Height)
+	}
+
+	// Build the path
+	path = fmt.Sprintf("/v1/image/%s%s/%s.%s",
+		req.SourceHost,
+		req.SourcePath,
+		sizeStr,
+		req.Format,
+	)
+
+	// Append query if present
+	if req.SourceQuery != "" {
+		// The query goes before the size segment in our URL scheme
+		// So we need to rebuild the path
+		path = fmt.Sprintf("/v1/image/%s%s?%s/%s.%s",
+			req.SourceHost,
+			req.SourcePath,
+			req.SourceQuery,
+			sizeStr,
+			req.Format,
+		)
+	}
+
+	return path, sig, exp
+}
+
+// ParseSignatureParams extracts signature and expiration from query parameters.
+func ParseSignatureParams(sig, expStr string) (signature string, expires time.Time, err error) {
+	signature = sig
+
+	if expStr == "" {
+		return signature, time.Time{}, nil
+	}
+
+	expUnix, err := strconv.ParseInt(expStr, 10, 64)
+	if err != nil {
+		return "", time.Time{}, fmt.Errorf("invalid expiration: %w", err)
+	}
+
+	expires = time.Unix(expUnix, 0)
+
+	return signature, expires, nil
+}