In HTTP signatures, should I use "request-line" or "target-request"?
I'm looking at Readme.md for the http signature, which is part of the Joyent node-http-signature , and it says to use a "special name" to include the target HTTP request in the signature base:
To include the HTTP query string in the signature calculation, use the custom query string value. While this overloads the definition of headers in HTTP linguistics, the query string is defined in RFC 2616, and as an exception to the headers in a useful signature computation, it is easier to just use the query string than to add a separate parameter for it.
Inclusion request-line
implies the inclusion of the type text in the base POST /url/path/here HTTP/1.1
.
Conversely, draft 03 of the spec says to use a different "special meaning" to include the purpose of the request:
If the name of the header field
(request-target)
, then generate the value of the header field by combining the lowercased: ASCII method and pseudo-headers:
Yes, (request-target) in parens.
In the first case, the signature base for the request may look like this:
POST /foo HTTP/1.1 + "\n"
date: Tue, 07 Jun 2011 20:51:35 GMT + "\n"
content-type: application/json + "\n"
content-md5: h0auK8hnYJKmHTLhKtMTkQ==
... whereas with the latter, the signature base for the same request would look like this:
(request-target): POST /foo + "\n"
date: Tue, 07 Jun 2011 20:51:35 GMT + "\n"
content-type: application/json + "\n"
content-md5: h0auK8hnYJKmHTLhKtMTkQ==
So which is authoritative? I doubt there are two ways to include the method and path in the signature base.
I suspect an "implementation rule", but I would like to know the real intent.
source to share
No one has answered this question yet
Check out similar questions: