Signature validation utility about twilight HOT 8 CLOSED

I agree that extracting the headers is outside the scope of Twilight. There are multiple header implementations, for example, https://docs.rs/worker/latest/worker/struct.Headers.html and https://docs.rs/http/latest/http/header/struct.HeaderMap.html, and publically depending upon any of them mean tying ourselves to their major versions.

BTW, the example check_signature signature needs an additional parameter for the signature.

from twilight.

We had a similar discussion about whether we want to inline validation, I think the best solution is to provide both a separate method and a method that chains validation and actual work. So in this case, both check_signature and extract_interaction, which does the checking itself.

from twilight.

1. Providing a function which would make it easy to check the signature would be something im not opposed to.
2. I would be against providing any further utilities like our own implementations for webservers.
   There are many different crates out there and eventually we will have a bunch of middlewares we need to maintain.
   Further more it shouldn't be that hard to get the headers of a request. To make it a little bit easier, we could additionally export the header names as constants.
3. I don't think we should overcomplicate that.

let is_valid = check_signature(timestamp, body, signature, key);
if !is_valid {
    return Err("Body signature does not match.")
}

let interaction: Interaction = serde_json::from_str(body);

Sth. like this should be straight forward enough.

from twilight.

I agree that extracting the headers is outside the scope of Twilight. There are multiple header implementations, for example, https://docs.rs/worker/latest/worker/struct.Headers.html and https://docs.rs/http/latest/http/header/struct.HeaderMap.html, and publically depending upon any of them mean tying ourselves to their major versions.

Actually, I just realized that we could accept an iterator of (&str, &[u8]), like how http-ratelimiting does it.

from twilight.

Actually, I just realized that we could accept an iterator of (&str, &[u8]), like how http-ratelimiting does it.

I'm unsure of whether this would be a reliable option.
Eg:

• actix-web provides an iterator of all headers but does not use strings but HeaderValue which does not implement ToString.
• rocket provides an iterator but over Header<'_> where we need to call .value() in order to get the data.
• tide handles that different too.

from twilight.

let is_valid = check_signature(timestamp, body, signature, key);
if !is_valid {
    return Err("Body signature does not match.")
}

let interaction: Interaction = serde_json::from_str(body);

I'd personally prefer an API that returns a result, similar to twilight-validate, so that we can simply propagate with check_signature(timestamp, body, signature, key)?;

from twilight.

let is_valid = check_signature(timestamp, body, signature, key);
if !is_valid {
    return Err("Body signature does not match.")
}

let interaction: Interaction = serde_json::from_str(body);

I'd personally prefer an API that returns a result, similar to twilight-validate, so that we can simply propagate with check_signature(timestamp, body, signature, key)?;

Should it return the Interaction in the Ok variant, or just () so the check can be done with ? and users handle doing the deserialization their selves?

let interaction = check_signature(timestamp, body, signature, key)?;

vs

check_signature(timestamp, body, signature, key)?;
let interaction: Interaction = serde_json::from_str(body);

(The former is why I named my initial suggestion extract_discord, but it could be perfectly reasonable for someone to want to do the deserialization on their own, using their own model or their own parser other than serde_json.)

from twilight.

Accordingly with the comment posted here: #2205 (comment),
I am closing this issue as "not wanted".

from twilight.