playerbrainz/crates/signatures
Jade Ellis 1cac12a130
feat: Signed requests
There's a whole load of stuff here and it was a few days to get it
working.

I discovered that httpsig-rs doesn't handle colons in signature names
correctly, so I had to seperate out the algorithm from the key ID.

A seperate binary exists to demonstrate making a singed request, as the
functionality is not used in the main binary yet.

There is a bunch of stuff to make it ieasier if the key algorithm
changes, although it is left hardcoded in a few places because we don't
need forwards compatibility, we just need to make backwards
compatibility easy

Server-side graphql queries use cynic, which builds queries from rust
types. We have code to resolve the graphql endpoint for a server and
then fetch keys.

A trait is implemented to make it easier to run graphql queries from the
server.

Signature is implemented by the httpsig library on the hyper request.
Luckily for us, reqwest and axum roughly use similar types (thanks to
the http crate). There is some conversion going on, in particular around
buffering the request body to sign the digest.

Speaking of, the covered components are picked to cover all parts of the
request that could affect the response. The assumption is this, in
combination with TLS, is sufficient security to subvert impersonation.
2026-05-26 00:48:49 +01:00
..
src feat: Signed requests 2026-05-26 00:48:49 +01:00
Cargo.toml feat: Signed requests 2026-05-26 00:48:49 +01:00