Skip to content

feat: Add alternative verification API and expand MessageDetails#14

Merged
yaronf merged 3 commits intoyaronf:mainfrom
jvatic:verify
Jul 29, 2025
Merged

feat: Add alternative verification API and expand MessageDetails#14
yaronf merged 3 commits intoyaronf:mainfrom
jvatic:verify

Conversation

@jvatic
Copy link
Contributor

@jvatic jvatic commented Jul 9, 2025

Thanks for creating & maintaining this library @yaronf!

This PR resolves a need we have at $employer to do some additional verification on the message artifacts (and removes having to build an intermediate http.Request object since we're using this in an rpc context).

  • Add Message struct with a Verify method that can be used in place of VerifyRequest + RequestDetails, and VerifyResponse + ResponseDetails.
  • MessageDetails now contains created, expires, nonce, and tag params.

I'm happy to iterate on this a bit if there's any changes you'd like to see before accepting.

yaronf
yaronf requested changes Jul 10, 2025
View reviewed changes
@yaronf
Copy link
Owner

yaronf commented Jul 10, 2025

Hi @jvatic, thank you for the pull request. This is a reasonably large PR so it might take a bit of iteration. Here are some initial comments:

  • I don't think the Message structure belongs in signatures.go. Please refactor it to its own file. Possibly along with MessageDetails.
  • This is essentially a "quality of life" code change, so please include a worked example that'll go into the package documentation, see https://pkg.go.dev/github.com/yaronf/httpsign#pkg-examples
  • I have not (yet) tested that the new fuzz tests are working, or that test coverage has not dropped.

@jvatic
Copy link
Contributor Author

jvatic commented Jul 10, 2025

Thanks for the review @yaronf!

  • I've moved Message/MessageConfig and MessageDetails into message.go.
  • I've added an example that does the same thing as the existing VerifyRequest example but using the new API.

RE code deletion/test changes: My thinking was that it felt cleaner to for MessageConfig to build decomposed req/resp parts vs composing them, and being able to re-use existing tests could provide more confidence in the new API & simplify testing. Would you prefer if the Message.Verify called VerifyRequest/VerifyResponse vs the other way around? That would reduce the scope of the changes.

While code coverage remains about the same overall, there are a few error paths not covered when calling VerifyRequest/VerifyResponse which reduces coverage on the func level a bit, but these appear to be covered by NewMessage tests (I can include the coverage output if that'd be helpful).

@yaronf yaronf self-assigned this Jul 12, 2025
@jvatic jvatic requested a review from yaronf July 15, 2025 15:43
yaronf
yaronf requested changes Jul 18, 2025
View reviewed changes
Copy link
Owner

@yaronf yaronf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @jvatic, since the old VerifyRequest/Response APIs still remain public APIs of the package, I would rather have them tested explicitly, regardless of the internal implementation. So please duplicate the relevant tests.

Also, I made some very minor changes on the main branch, please make sure to merge them.

Once you're done with the tests, I'll be happy to merge the PR. Thanks!

jvatic added 2 commits July 23, 2025 11:03
@jvatic
chore: add .editorconfig to preserve trailing whitespace in test files
1dd53b0
@jvatic
feat: Add alternative verification API and expand MessageDetails
41581d9 
- Add `Message` struct with a `Verify` method that can be used in place of `VerifyRequest` + `RequestDetails`, and `VerifyResponse` + `ResponseDetails`.
- `MessageDetails` now contains created, expires, nonce, and tag params.
@jvatic
Copy link
Contributor Author

jvatic commented Jul 23, 2025
edited
Loading

Hi @yaronf, thanks for the feedback! I've rebased on main and duplicated all the relevant tests (ones calling VerifyRequest, verifyRequestDebug, VerifyResponse, and verifyResponseDebug).

Please let me know if there's anything else I can clean up before merging. And thanks for being open to this PR :)

(edit: I added the .editorconfig file due to some tests being dependent on whitespace that would otherwise be removed by gofmt.)

@jvatic jvatic requested a review from yaronf July 23, 2025 15:06
@yaronf
Copy link
Owner

yaronf commented Jul 27, 2025

Sorry, one more thing: please add a little (maybe one sentence) to the package overview in doc.go, to clarify where these new APIs are to be used.

yaronf
yaronf requested changes Jul 28, 2025
View reviewed changes
Copy link
Owner

@yaronf yaronf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my last comment.

@jvatic
Copy link
Contributor Author

jvatic commented Jul 29, 2025

@yaronf sounds good! I've added a sentence to doc.go.

@jvatic jvatic requested a review from yaronf July 29, 2025 15:39
yaronf
yaronf reviewed Jul 29, 2025
View reviewed changes
yaronf
yaronf requested changes Jul 29, 2025
View reviewed changes
Copy link
Owner

@yaronf yaronf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought I could fix that typo myself, but I can't. So please commit...

@jvatic
Copy link
Contributor Author

jvatic commented Jul 29, 2025

Oops, fixed!

@jvatic jvatic requested a review from yaronf July 29, 2025 17:34
@yaronf yaronf merged commit d569067 into yaronf:main Jul 29, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yaronf yaronf yaronf approved these changes

Assignees

@yaronf yaronf

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jvatic @yaronf