ipedis/http-signature

There is no license information available for the latest version (3.0.0) of this package.

Library to generate http signature

Maintainers

Package info

github.com/ipedis/http-signature

pkg:composer/ipedis/http-signature

Statistics

Installs: 7

Dependents: 1

Suggesters: 0

Stars: 0

Open Issues: 0

Security

Advisories: 0

Aikido package health analysis

3.0.0 2026-01-22 06:56 UTC

Requires

Unknown License 637658beba5c6c03e2d03b175246c43d3fee6a10

  • dev <dev.woop@ipedis.com>

This package is auto-updated.

Last update: 2026-03-25 13:03:34 UTC

README

This library is required for internal publispeak HTTP request. The choice of Guzzle for the HTTP Client :

  • Guzzle allows to inject middleware into its stack, with which additional headers can be added in the request object

Installation

Update composer.json and add a repository:

"repositories": [
    {
        "type": "vcs",
        "url": "bitbucket:ipedis/http-signature.git"
    }
]

Require the library:

  • for symfony version < 7.2

    "require": { "ipedis/http-signature": "^1.0.0" }

  • for symfony version >= 7.2

    "require": { "ipedis/http-signature": "^2.0.0" }

  • for symfony version >= 8.0

    "require": { "ipedis/http-signature": "^3.0.0" }

Folder structure

  • demo Will contain all examples for actual covered behavior from this library.
  • src Set of class or trait available.
  • docs All documentation.

Sending a signed Http request

Use the HttpClient trait to send an HTTP request. The signature will be added automaticaly by the trait.

[...]

use HttpClient;

[...]

$response = $this->getClient()->get(<url>);
$response = $this->getClient()->post(<url>);
$response = $this->getClient()->delete(<url>);

[...]

Signing a request

Use the Signer trait to add signature to a PSR-7 compatible request

[...]

use Signer;

[...]

$request = $this->sign($request);

[...]

Verify a request

Use the Verify trait to check validity of a PSR-7 compatible request

[...]

use Verifier;

[...]

$isValid = $this->verify($request)

[...]

How it works

Adding the signature

Take Method (GET, POST …)

Take full Url path (exemple : http://recovery.publispeak.local/api/event/dispatch

Create a timestamp as which will be added as HEADER of each signed query.

Take string serialized request body

Concatenated all of this information by a predictable order. Example:

  Pattern:
  METHOD.url.timestamp.stringified_body
  Sample:
  GET.http://recovery.publispeak.local/api/event/dispatch.13903209123.{foo:bar}

then calculate the HMAC_256 of this string.

  Computed HMAC:
  bc1c3a7513079cd8e02a4ef367bf72e161e0fa7207cd1e89c3daf3ee682897ef

Verify the signature

Take the received request and perform the same calculation to compare computed HMAC and received sign HEADER.

$sourceString = METHOD.url.timestamp.stringified_body
if (timestamp older than 1m)
   reject query, it can be Man to the middle who try to replay query

$computedHash = hash_hmac('sha256', $sourceString, backup_secret_token)
if (hash_equals($computedHash, $receivedSignHeader)
    we have legit request

How to test

View documentation folder