Implement request signing #65
Description
What's needed?
Services will soon start require requests to be signed, so client should be able to do this signing.
Proposed solution
Implement signing requests somehow in ApiClientBase or utility functions/classes like GrpcStreamBroadcaster or call_stub_method. Ideally signing should be as transparent as possible to client implementers.
Signing works as follows:
Signature parts
The following request parts are used to generate the signature:
- The user's API key (Metadata key:
key) - The user's secret must be provided to the client, loaded from a file, env vars, etc.
- The timestamp that the client sent the request (Metadata key:
ts) - A one-time cryptographic random number called "nonce" generated for each request by the client (Metadata key:
nonce) - The name of the requested gRPC method.
- The serialized message body.
The signature is stored in the metadata key sig.
Algorithm
The algorithm uses HMAC with SHA-256 as the hashing algorithm. The resulting signature is encoded using URL-safe base64 without padding.
The algorithm can be outlined in pseudocode as follows:
hmac = Hmac(Sha256)
hmac.update(key)
hmac.update(secret)
hmac.update(ts)
hmac.update(nonce)
hmac.update(rpc_method)
hmac.update(msg_body)
signature = hmac.finalize()
encoded_sig = base64.url_safe_no_pad(signature)