Skip to content

[Feature request] HTTP request signing not supported #136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kravchenkoa opened this issue Sep 24, 2021 · 4 comments
Open

[Feature request] HTTP request signing not supported #136

kravchenkoa opened this issue Sep 24, 2021 · 4 comments
Labels
enhancement New feature or request

Comments

@kravchenkoa
Copy link

kravchenkoa commented Sep 24, 2021
edited by jnv
Loading

Some API endpoints have secuirty from request signing e.g. wallet information on binance - https://api.binance.com/sapi/v1/capital/config/getall

Information about signed endpoint security: https://binance-docs.github.io/apidocs/spot/en/#signed-trade-user_data-and-margin-endpoint-security

Expected Behavior

Request signing should be supported

Current Behavior

Request signing is not supported

Possible Solution

Implement request signing and other common security mechanisms
@jnv jnv added the enhancement New feature or request label Sep 24, 2021
@jnv
Copy link
Contributor

jnv commented Sep 24, 2021

Binance uses HMAC SHA256 passed in query string or request body. They also require timestamp and recvWindow, but those can be handled by map.

Another provider requiring requests signing, as mentioned by @freaz, is AWS.

@freaz
Copy link
Member

freaz commented Sep 24, 2021

@jnv AWS request signing is different, this is quiet simple payload signiture, which could be done in map (if stdlib with crypto would be available). compared to https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html

Unfortunately neither is them is really standardized.

@jnv
Copy link
Contributor

jnv commented Sep 24, 2021

I see. Personally I would prefer if requests signing were, in general, handled as a security scheme, but I am not sure whether it is possible to generalize this across many providers. But exposing relevant crypto functions in map would cover both Binance and AWS needs - or not?

@jnv jnv changed the title HTTP request signing not supported [Feature request] HTTP request signing not supported Oct 4, 2021
@jnv
Copy link
Contributor

jnv commented Jul 20, 2022

Another case is with 2Checkout API. In this case, though, the authentication could be handled inside the map, since it doesn't work with the payload:

X-Avangate-Authentication: code="{VENDOR_CODE}" date="{REQUEST_DATE_TIME}" hash="{HASH}"

  • VENDOR_CODE: Your unique 2Checkout supplied merchant code.
  • REQUEST_DATE_TIME: The UTC date time of the request. Format: YYYY-MM-DD HH:MM:SS. You must provide the time of the request in the GMT timezone.
  • HASH: The hashmac digest with an md5 hashing algorithm of the following: LEN(VENDOR_CODE) + VENDOR_CODE + LEN(REQUEST_DATE_TIME) + REQUEST_DATE_TIME. Use the secret key associated with your account for the hashing.

So what we are missing in map for this is MD5 HMAC digest. Moreover, getting the current datetime in this format will be a PITA, but it can be done with some ugly string manipulation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jnv @freaz @kravchenkoa