https://github.com/dexcompiler/request-signatures

Secure API authentication mechanism using Request Signatures
https://github.com/dexcompiler/request-signatures

api-key-management api-keys api-security authentication middleware

Last synced: 7 months ago
JSON representation

Secure API authentication mechanism using Request Signatures

• Host: GitHub
• URL: https://github.com/dexcompiler/request-signatures
• Owner: dexcompiler
• Created: 2024-11-17T04:59:57.000Z (over 1 year ago)
• Default Branch: master
• Last Pushed: 2024-11-19T23:02:19.000Z (over 1 year ago)
• Last Synced: 2024-12-15T12:05:58.883Z (about 1 year ago)
• Topics: api-key-management, api-keys, api-security, authentication, middleware
• Language: C#
• Homepage:
• Size: 6.84 KB
• Stars: 2
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# API Request Signing

This project demonstrates a secure API authentication mechanism using Request Signatures implemented in C#.

Instead of sending API keys directly in the request, this approach uses cryptographic signatures to verify request authenticity.

## Why is this important?

Request signing provides several security advantages over simple API keys:

1. **Non-repudiation**: The server can prove that a request was made by a specific client.

2. **Request Integrity**: The server can verify that the request has not been tampered with in transit.

3. **No Secret Transmission**: The client does not need to send the secret key in the request. 

4. **Replay Protection**: Time-bound requests prevent replay attacks.

### Request Flow

```mermaid

sequenceDiagram

    participant C as Client

    participant S as Server

    Note over Client: Constructs request with:
- HTTP Method
- Endpoint
- Timestamp
- Request Body

    Note over Client: Signs request using
secret key

    C->>S: Send request with headers:
X-Client-Id
X-Timestamp
X-Signature

    Note over Server: Validates timestamp
freshness

    Note over Server: Retrieves client's
secret key

    Note over Server: Recomputes signature
and compares

    S->>C: 401 Unauthorized

    C->>S: Authorization Header

    S->>C: 200 OK

```

### Project Structure

```text

├── RequestSigning.Server/      # API server implementation

├── RequestSigning.Client/      # Demo client implementation

└── RequestSigning.Common/      # Shared models and utilities

```

### Running the Demo

1. Clone the repository

2. Start the server: `cd RequestSigning.Server && dotnet run`

3. In a new terminal, start the client: `cd RequestSigning.Client && dotnet run`

Good Luck!