140 lines
3.3 KiB
Go
140 lines
3.3 KiB
Go
package imgcache
|
|
|
|
import (
|
|
"crypto/hmac"
|
|
"crypto/sha256"
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
"strconv"
|
|
"time"
|
|
)
|
|
|
|
// Signature errors.
|
|
var (
|
|
ErrSignatureRequired = errors.New("signature required for non-whitelisted host")
|
|
ErrSignatureInvalid = errors.New("invalid signature")
|
|
ErrSignatureExpired = errors.New("signature has expired")
|
|
ErrMissingExpiration = errors.New("signature expiration is required")
|
|
)
|
|
|
|
// Signer handles HMAC-SHA256 signature generation and verification.
|
|
type Signer struct {
|
|
secretKey []byte
|
|
}
|
|
|
|
// NewSigner creates a new Signer with the given secret key.
|
|
func NewSigner(secretKey string) *Signer {
|
|
return &Signer{
|
|
secretKey: []byte(secretKey),
|
|
}
|
|
}
|
|
|
|
// Sign generates an HMAC-SHA256 signature for the given image request.
|
|
// The signature covers: host + path + query + width + height + format + expiration.
|
|
func (s *Signer) Sign(req *ImageRequest) string {
|
|
data := s.buildSignatureData(req)
|
|
mac := hmac.New(sha256.New, s.secretKey)
|
|
mac.Write([]byte(data))
|
|
sig := mac.Sum(nil)
|
|
|
|
return base64.URLEncoding.EncodeToString(sig)
|
|
}
|
|
|
|
// Verify checks if the signature on the request is valid and not expired.
|
|
func (s *Signer) Verify(req *ImageRequest) error {
|
|
// Check expiration first
|
|
if req.Expires.IsZero() {
|
|
return ErrMissingExpiration
|
|
}
|
|
|
|
if time.Now().After(req.Expires) {
|
|
return ErrSignatureExpired
|
|
}
|
|
|
|
// Compute expected signature
|
|
expected := s.Sign(req)
|
|
|
|
// Constant-time comparison to prevent timing attacks
|
|
if !hmac.Equal([]byte(req.Signature), []byte(expected)) {
|
|
return ErrSignatureInvalid
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// buildSignatureData creates the string to be signed.
|
|
// Format: "host:path:query:width:height:format:expiration"
|
|
func (s *Signer) buildSignatureData(req *ImageRequest) string {
|
|
return fmt.Sprintf("%s:%s:%s:%d:%d:%s:%d",
|
|
req.SourceHost,
|
|
req.SourcePath,
|
|
req.SourceQuery,
|
|
req.Size.Width,
|
|
req.Size.Height,
|
|
req.Format,
|
|
req.Expires.Unix(),
|
|
)
|
|
}
|
|
|
|
// GenerateSignedURL creates a complete URL with signature and expiration.
|
|
// Returns the path portion that should be appended to the base URL.
|
|
func (s *Signer) GenerateSignedURL(req *ImageRequest, ttl time.Duration) (path string, sig string, exp int64) {
|
|
// Set expiration
|
|
req.Expires = time.Now().Add(ttl)
|
|
exp = req.Expires.Unix()
|
|
|
|
// Generate signature
|
|
sig = s.Sign(req)
|
|
req.Signature = sig
|
|
|
|
// Build the size component
|
|
var sizeStr string
|
|
if req.Size.OriginalSize() {
|
|
sizeStr = "orig"
|
|
} else {
|
|
sizeStr = fmt.Sprintf("%dx%d", req.Size.Width, req.Size.Height)
|
|
}
|
|
|
|
// Build the path
|
|
path = fmt.Sprintf("/v1/image/%s%s/%s.%s",
|
|
req.SourceHost,
|
|
req.SourcePath,
|
|
sizeStr,
|
|
req.Format,
|
|
)
|
|
|
|
// Append query if present
|
|
if req.SourceQuery != "" {
|
|
// The query goes before the size segment in our URL scheme
|
|
// So we need to rebuild the path
|
|
path = fmt.Sprintf("/v1/image/%s%s?%s/%s.%s",
|
|
req.SourceHost,
|
|
req.SourcePath,
|
|
req.SourceQuery,
|
|
sizeStr,
|
|
req.Format,
|
|
)
|
|
}
|
|
|
|
return path, sig, exp
|
|
}
|
|
|
|
// ParseSignatureParams extracts signature and expiration from query parameters.
|
|
func ParseSignatureParams(sig, expStr string) (signature string, expires time.Time, err error) {
|
|
signature = sig
|
|
|
|
if expStr == "" {
|
|
return signature, time.Time{}, nil
|
|
}
|
|
|
|
expUnix, err := strconv.ParseInt(expStr, 10, 64)
|
|
if err != nil {
|
|
return "", time.Time{}, fmt.Errorf("invalid expiration: %w", err)
|
|
}
|
|
|
|
expires = time.Unix(expUnix, 0)
|
|
|
|
return signature, expires, nil
|
|
}
|