Skip to content

Sign requests

Verify a signed request using the HMAC and SHA-256 algorithms or return a 403.

The following Snippet will:

  • For request URLs beginning with /generate/, replace /generate/ with /, sign the resulting path with its timestamp, and return the full, signed URL in the response body.

  • For all other request URLs, verify the signed URL and allow the request through.

export default {
async fetch(request) {
const secretKey = "your_secret_key"; // Replace with your actual secret key
const expiration = 60; // Expiration time in seconds (how long an HMAC token should be valid for)
const encoder = new TextEncoder();
// Import the secret key for HMAC-SHA256 signing
const key = await crypto.subtle.importKey(
"raw",
encoder.encode(secretKey),
{ name: "HMAC", hash: "SHA-256" },
false,
["sign", "verify"],
);
const url = new URL(request.url);
// Check if the request URL starts with /generate/
if (url.pathname.startsWith("/generate/")) {
// Replace /generate/ with /
url.pathname = url.pathname.replace("/generate/", "/");
const currentTimestamp = Math.floor(Date.now() / 1000); // Current timestamp in seconds
// Data to authenticate: combine pathname and timestamp
const dataToAuthenticate = `${url.pathname}${currentTimestamp}`;
// Sign the data with HMAC-SHA256
const signature = await crypto.subtle.sign(
"HMAC",
key,
encoder.encode(dataToAuthenticate),
);
// Encode the timestamp and HMAC in a secure manner
const signatureBase64 = btoa(
String.fromCharCode(...new Uint8Array(signature)),
);
const signedData = `${currentTimestamp}-${signatureBase64}`;
const encodedSignedData = encodeURIComponent(signedData);
// Create the signed URL
const signedURL = `${url}?verify=${encodedSignedData}`;
// Return the signed URL in the response body
return new Response(signedURL, { status: 200 });
}
// For all other request URLs, verify the signed URL
const params = new URLSearchParams(url.search);
const verifyParam = params.get("verify");
if (!verifyParam) {
return new Response("Verification parameter is missing", { status: 403 });
}
// Decode and split the verify parameter into timestamp and HMAC
const decodedVerifyParam = decodeURIComponent(verifyParam);
const [timestampStr, receivedMac] = decodedVerifyParam.split("-");
// Parse timestamp and ensure it's a valid number
const timestamp = parseInt(timestampStr, 10);
if (isNaN(timestamp)) {
return new Response("Invalid timestamp", { status: 403 });
}
// Check if the request has expired
const currentTimestamp = Math.floor(Date.now() / 1000);
if (currentTimestamp > timestamp + expiration) {
return new Response("Signed URL has expired", { status: 403 });
}
// Remove the verify parameter to verify the URL
params.delete("verify");
url.search = params.toString();
// Construct the data to authenticate for verification
const dataToVerify = `${url.pathname}${timestamp}`;
// Verify the signature with HMAC-SHA256
const isValid = await crypto.subtle.verify(
"HMAC",
key,
new Uint8Array([...atob(receivedMac)].map((char) => char.charCodeAt(0))),
encoder.encode(dataToVerify),
);
if (!isValid) {
return new Response("Invalid signature", { status: 403 });
}
// Continue processing the request if the signature is valid
return fetch(request);
},
};