Add explicit tests proving that HMAC-SHA256 signatures verify against
exact URLs only — no suffix matching, wildcard matching, or partial
matching is supported. A signature for cdn.example.com will not verify
for example.com, images.example.com, or any other host.
Changes:
- signature.go: Add documentation comments on Verify() and
buildSignatureData() specifying exact-match semantics
- signature_test.go: Add TestSigner_Verify_ExactMatchOnly (14 tamper
cases covering host, path, query, dimensions, format) and
TestSigner_Sign_ExactHostInData (verifies suffix-related hosts
produce distinct signatures)
- service_test.go: Add TestService_ValidateRequest_SignatureExactHostMatch
(integration test verifying ValidateRequest rejects signatures when
host differs — parent domain, sibling subdomain, deeper subdomain,
evil suffix, prefixed host)
- README.md: Document exact-match-only behavior in Signature section
Does NOT modify whitelist.go or any whitelist-related code.
TDD: Write tests first before implementation for:
- ETag generation and consistency in service layer
- HEAD request support (headers only, no body)
- Conditional requests with If-None-Match header (304 responses)
