Inconsistency: Rust validator requires `;req` on @authority but TypeScript library doesn't produce it

[ulziibay-kernel]

Body

Summary

There's an inconsistency between the Rust http-signature-directory validator and the TypeScript directoryResponseHeaders function regarding the ;req component parameter on @authority.

The Issue

Rust validator (http-signature-directory) requires "@authority";req:

// crates/http-signature-directory/src/main.rs lines 72-83
CoveredComponent::Derived(DerivedComponent::Authority { req: true }) => {
    vec![self.authority.clone()]  // ✓ Returns value
}
CoveredComponent::Derived(DerivedComponent::Authority { req: false }) => {
    error!("You are signing a plain `@authority` without the `req` component parameter...");
    vec![]  // ✗ Returns empty, causing verification failure
}

TypeScript library (directoryResponseHeaders) produces "@authority" without ;req:

// packages/http-message-sig/src/directory.ts
export const RESPONSE_COMPONENTS: Component[] = ["@authority"];  // No ;req

Cloudflare documentation also shows "@authority" without ;req:
https://developers.cloudflare.com/bots/reference/bot-verification/web-bot-auth/#2-host-a-key-directory

Signature-Input: sig1=("@authority");alg="ed25519";keyid="...";tag="http-message-signatures-directory"...

RFC 9421 Reference

Section 2.4 states:

"When a request message results in a signed response message, the signer can include portions of the request message in the signature base by adding the req parameter to the component identifier."

The RFC uses "can" (optional), not "MUST" (required).

Reproduction

1. Use directoryResponseHeaders to sign a directory response
2. Validate with http-signature-directory CLI
3. Validation fails with: "You are signing a plain @authority without the req component parameter"

Questions

1. Should the TypeScript library be updated to use "@authority";req in RESPONSE_COMPONENTS?
2. Or should the Rust validator be relaxed to accept "@authority" without ;req?
3. Should the Cloudflare documentation be updated?

Environment

• http-signature-directory v0.6.0
• web-bot-auth v0.1.1

[AkshatM]

Way ahead of you :) #67 - just pushing the final changes to the same.

For context, it's not actually possible to have a free-floating @authority returned by the response, since that is a property only available on the request per the RFC. Indeed, the latest version of the RFC stipulates this is required for http-signature-directory .

So the correct behaviour is indeed what the Rust validator checks for.

[AkshatM]

Once #67 is merged, I'll update the Cloudflare documentation accordingly. Thanks for raising this issue - your diligence is very appreciated :)

[ulziibay-kernel]

Thanks for the response. I am glad that I trusted the rust validator more.