Class: Rack::Auth::Signature

Inherits:

Object

• Object
• Rack::Auth::Signature

Includes:

Helpers

Defined in:

lib/rack/auth/signature.rb,
lib/rack/auth/signature/helpers.rb

Overview

Rack middleware for HTTP Message Signature verification (RFC 9421).

This middleware verifies that incoming requests have valid HTTP signatures. Requests without valid signatures are rejected with a 401 Unauthorized response.

Configuration file format (YAML):

signatures:
  reject_older_than: 900        # Reject signatures older than 15 minutes
  created_required: true        # Require 'created' parameter
  keyid_required: false         # Require 'keyid' parameter
  covered_components:           # Required components in signature
    - "@method"
    - "@request-target"
    - "date"
keys:
  my-key-id:
    alg: ed25519
    material: |                 # Inline PEM
      -----BEGIN PUBLIC KEY-----
      ...
      -----END PUBLIC KEY-----
  other-key:
    alg: rsa-pss-sha512
    path: keys/public.pem       # Or path to key file

Examples:

Basic usage in config.ru

require "linzer"

use Rack::Auth::Signature,
  except: "/health",
  default_key: {
    material: File.read("public_key.pem"),
    alg: "ed25519"
  }

run MyApp

With configuration file

use Rack::Auth::Signature,
  except: ["/login", "/health"],
  config_path: "config/http-signatures.yml"

In a Rails application (config/application.rb)

config.middleware.use Rack::Auth::Signature,
  except: "/login",
  config_path: "config/http-signatures.yml"

With a block for custom configuration

use Rack::Auth::Signature do
  # Custom configuration via instance_eval
end

See Also:

• RFC 9421
• For configuration options
• For key lookup behavior

Defined Under Namespace

Modules: Helpers

Instance Method Summary

• #call(env) ⇒ Array

  Processes an incoming request.

• #initialize(app, options = {}) { ... } ⇒ Signature constructor

  Creates a new signature verification middleware.

Methods included from Helpers::Configuration

default_covered_components

Constructor Details

#initialize(app, options = {}) { ... } ⇒ Signature

Creates a new signature verification middleware.

Parameters:

• app (#call) —

  The Rack application to protect

• options (Hash) (defaults to: {}) —

  Configuration options

Options Hash (options):

• :except (String, Array<String>) —

  Paths to exclude from signature verification (e.g., “/login”, “/health”)

• :config_path (String) —

  Path to YAML configuration file

• :default_key (Hash) —

  Default key configuration when keyid is not present or not found in keys hash

• :keys (Hash) —

  Hash of key configurations keyed by keyid

• :signatures (Hash) —

  Signature verification options

Yields:

• Optional block for additional configuration via instance_eval

# File 'lib/rack/auth/signature.rb', line 81

def initialize(app, options = {}, &block)
  @app = app
  @options = load_options(Hash(options))
  instance_eval(&block) if block
end

Instance Method Details

#call(env) ⇒ Array

Processes an incoming request.

If the request path is excluded or the signature is valid, the request is passed to the wrapped application. Otherwise, returns a 401 response.

On successful verification, the signature is stored in ‘env` for use by the application.

Parameters:

• env (Hash) —

  The Rack environment

Returns:

• (Array) —

  Rack response tuple [status, headers, body]

# File 'lib/rack/auth/signature.rb', line 97

def call(env)
  @request = Rack::Request.new(env)

  if excluded? || allowed?
    @app.call(env)
  else
    response = options[:signatures][:error_response].values
    Rack::Response.new(*response).finish
  end
end