![]() ![]() Let me know in the comments if any of this is not clear. That tool does not yet support computing a Digest of a POST body, but I’ll look into extending it to do that too. You can play around with HTTP Signatures using this online tool. If it were me, I would also include a :created: and an :expires: field in the http signature. compute the signature following the example from the site, with headers of “(request-target) host date digest”, and using the appropriate RSA key pair.Set the http headers for the pending outbound request to include at least host, date, and digest. ![]() Set the Digest header to be SHA-256=xxxyyyyy, where xxxyyyy is the base64 encoding of the SHA-256 digest.This should produce a string of about 44 characters. Encode that computed digest (which is a byte array) with base64.Try this online tool to help you verify your work. compute the SHA-256 digest of the POST body, including all whitepsace and leading or trailing newlines.With these gaps and misleading things in the documentation, I think it would be impossible for a neophyte to navigate the documentation and successfully implement a client that passes a validatable signature. Unhelpfully, again according to my reading of the code, Mastodon requires a base64-encoded digest! Helpfully, the example provided in the documentation shows a digest string that appears to be hex-encoded. The documentation does not state which of those encodings is accepted. Some typical options for encoding are: hex encoding (aka base16 encoding), base64 encoding, or base64-url encoding. That brings us to the next question: how to encode that byte array as a string, in order to pass it to Mastodon. Regardless of the digest algorithm you use, the computed digest is a byte array. (There is no RSA key involved in computing a digest). The documentation should state that you must compute the “SHA256 digest”. According to my reading of the code, Mastodon supports only SHA-256 digests. Message Digests include: SHA1, SHA256, MD5 (old and insecure at this point) and others. There is no such thing as “RSA-SHA256 digest”! RSA-SHA256 is not the name of a digest. For a post request, the mastodon documentation states that you must first compute the “RSA-SHA256 digest hash of your request’s body”. Unfortunately, that too, is either out of date or confusing. So what must you do? Go back to the Mastodon documentation. It does not use the (request-target) pseudo header. If your client is written in JavaScript and runs on Nodejs, an example for how to build a signature is given on the npmjs site.īut I believe this example is out of date. Earlier, Postman Interceptor like apps were an additional requirement if we wanted to check browser cookies.I am reading this documentation from Mastodon.Īnd from it, I understand that Mastodon requires an HTTP Signature, signing at least these headers: So once you install the native Postman app from here, you don't have to go looking for additional Chrome extensions like Interceptor. The latest version of the native apps has a built-in console, whichĪllows you to view the network request details for API calls. Restricted by the Chrome standards for the menu bar. Previously, users needed to use the Interceptor extension Requests that return a 300-series response from being automatically REDIRECTS OPTION: This option exists in the native apps to prevent Version of the native apps let you send headers like Origin and The Chrome app, no separate extension (Interceptor) is needed.īUILT-IN PROXY: The native apps come with a built-in proxy that you Now the recommendation is to go for native apps which are not detached from the sandboxed environment of the browser.ĬOOKIES: The native apps let you work with cookies directly. Chrome apps including Postman are being deprecated as mentioned here. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |