{"id":21955205,"url":"https://github.com/voltone/plug_signature","last_synced_at":"2025-04-23T12:06:20.301Z","repository":{"id":36931328,"uuid":"225949000","full_name":"voltone/plug_signature","owner":"voltone","description":"Plug for verifying request signatures according to the IETF HTTP signatures draft specification","archived":false,"fork":false,"pushed_at":"2024-05-02T06:30:43.000Z","size":72,"stargazers_count":20,"open_issues_count":2,"forks_count":5,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-04-23T12:05:57.450Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Elixir","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/voltone.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-04T20:14:31.000Z","updated_at":"2024-12-12T08:10:42.000Z","dependencies_parsed_at":"2024-11-29T10:18:11.330Z","dependency_job_id":null,"html_url":"https://github.com/voltone/plug_signature","commit_stats":{"total_commits":25,"total_committers":3,"mean_commits":8.333333333333334,"dds":0.07999999999999996,"last_synced_commit":"1c2a050118d97563511c78e29f0d24f771314bee"},"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voltone%2Fplug_signature","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voltone%2Fplug_signature/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voltone%2Fplug_signature/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/voltone%2Fplug_signature/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/voltone","download_url":"https://codeload.github.com/voltone/plug_signature/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":250430584,"owners_count":21429324,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-29T07:29:53.596Z","updated_at":"2025-04-23T12:06:20.255Z","avatar_url":"https://github.com/voltone.png","language":"Elixir","funding_links":[],"categories":[],"sub_categories":[],"readme":"# PlugSignature\n\n[![Github.com](https://github.com/voltone/plug_signature/workflows/CI/badge.svg)](https://github.com/voltone/plug_signature/actions)\n[![Hex.pm](https://img.shields.io/hexpm/v/plug_signature.svg)](https://hex.pm/packages/plug_signature)\n[![Hexdocs.pm](https://img.shields.io/badge/hex-docs-lightgreen.svg)](https://hexdocs.pm/plug_signature/)\n[![Hex.pm](https://img.shields.io/hexpm/dt/plug_signature.svg)](https://hex.pm/packages/plug_signature)\n[![Hex.pm](https://img.shields.io/hexpm/l/plug_signature.svg)](https://hex.pm/packages/plug_signature)\n[![Github.com](https://img.shields.io/github/last-commit/voltone/plug_signature.svg)](https://github.com/voltone/plug_signature/commits/master)\n\nPlug for verifying request signatures according to the IETF HTTP signatures\n[draft specification](https://tools.ietf.org/html/draft-cavage-http-signatures-12).\n\nSupports the following algorithms:\n\n  * \"hs2019\", using ECDSA, RSASSA-PSS or HMAC\n  * \"rsa-sha256\", using RSASSA-PKCS1-v1_5\n  * \"ecdsa-sha256\"\n  * \"hmac-sha256\"\n  * \"rsa-sha1\", using RSASSA-PKCS1-v1_5\n\nDevelopment and public release of this package were made possible by\n[Bluecode](https://bluecode.com/).\n\nThe HTTP Date header parsing module was vendored from\n[cowlib](https://github.com/ninenines/cowlib), due to build issues that\nprevented use of the package as a dependency. Cowlib is copyright (c)\n2013-2018, Loïc Hoguin\n\n## Usage\n\nUse `PlugSignature` in a Phoenix (or other Plug-based) application.\n\nRequests with a valid signature are allowed to proceed while all others are\nrejected. Both the success and the failure behaviour can be customized.\n\n`PlugSignature` requires a callback module that implements the\n`PlugSignature.Callback` behaviour. In a Phoenix application this would\ntypically live in a 'context' module, and it might look something like this:\n\n```elixir\ndefmodule MyApp.Auth do\n  import Ecto.Query, only: [from: 2]\n\n  alias MyApp.Repo\n  alias MyApp.Auth.AccessKey\n\n  @behaviour PlugSignature.Callback\n\n  @impl true\n  def client_lookup(key_id, \"hs2019\", _conn) do\n    query = from a in AccessKey,\n      where: a.key_id == ^key_id,\n      preload: :client\n\n    case Repo.one(query) do\n      nil -\u003e\n        {:error, \"Invalid access key ID: #{key_id}\"}\n\n      {:ok, %AccessKey{revoked: true}} -\u003e\n        {:error, \"Access key revoked: #{key_id}\"}\n\n      {:ok, %AccessKey{public_key: pem, client: client}} -\u003e\n        public_key = plug_signature.PublicKey.from_pem!(pem)\n        {:ok, client, public_key}\n    end\n  end\nend\n```\n\nTo enable verification of the request body, through the HTTP Digest header,\nadd `PlugBodyDigest` from the [plug_body_digest](https://hex.pm/packages/plug_body_digest)\npackage, e.g. to the application's Phoenix Endpoint:\n\n```elixir\ndefmodule MyAppWeb.Endpoint do\n  # ...\n\n  plug Plug.Parsers,\n    parsers: [:urlencoded, :multipart, :json],\n    pass: [\"*/*\"],\n    json_decoder: Phoenix.json_library(),\n    body_reader: {PlugBodyDigest, :digest_body_reader, []}\n\n  plug PlugBodyDigest\nend\n```\n\nFinally, add `PlugSignature`, for instance to a Phoenix Router pipeline:\n\n```elixir\ndefmodule MyAppWeb.Router do\n  # ...\n\n  pipeline :api do\n    plug :accepts, [\"json\"]\n    plug PlugSignature,\n      callback_module: MyApp.Auth,\n      headers: \"(request-target) (created) host digest\",\n      on_success: {PlugSignature, :assign_client, [:client]}\n  end\n\n  # ...\nend\n```\n\nAlternatively it may be used inside a controller's pipeline, possibly with\nguards:\n\n```elixir\ndefmodule MyAppWeb.SomeController do\n  use MyAppWeb, :controller\n\n  plug PlugSignature, [\n    callback_module: MyApp.Auth,\n    headers: \"(request-target) (created) host digest\"\n  ] when not action in [:show, :index]\n\n  # ...\nend\n```\n\nThe directory `plug_signature_example` in the package source repository\ncontains a minimal functional sample application, implemented as a simple Plug\nserver that echos back the request parameters after signature authentication.\n\n## Client implementation\n\nThe sample application includes clients written in Elixir, using Tesla\nmiddleware, and as a shell script, using OpenSSL and cURL.\n\n## Installation\n\nAdd `plug_signature` to your list of dependencies in `mix.exs` (and consider\nadding `plug_body_digest` as well):\n\n```elixir\ndef deps do\n  [\n    {:plug_body_digest, \"~\u003e 0.5.0\"},\n    {:plug_signature, \"~\u003e 0.6.0\"}\n  ]\nend\n```\n\nDocumentation can be found at [https://hexdocs.pm/plug_signature](https://hexdocs.pm/plug_signature).\n\n## License\n\nCopyright (c) 2019, Bram Verburg\nAll rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\n* Redistributions of source code must retain the above copyright notice, this\n  list of conditions and the following disclaimer.\n\n* Redistributions in binary form must reproduce the above copyright notice,\n  this list of conditions and the following disclaimer in the documentation\n  and/or other materials provided with the distribution.\n\n* Neither the name of the copyright holder nor the names of its contributors\n  may be used to endorse or promote products derived from this software\n  without specific prior written permission.\n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS \"AS IS\"\nAND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE\nFOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,\nOR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE\nOF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoltone%2Fplug_signature","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvoltone%2Fplug_signature","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvoltone%2Fplug_signature/lists"}