diff --git a/src/Middleware/SignedQueryMiddleware.php b/src/Middleware/SignedQueryMiddleware.php index 1acf638..4f38f91 100644 --- a/src/Middleware/SignedQueryMiddleware.php +++ b/src/Middleware/SignedQueryMiddleware.php @@ -13,7 +13,7 @@ use Psr\Http\Server\RequestHandlerInterface; /** - * Validate that the GraphQL query contains a valid signature in the `Authorization` HTTP header. + * Validate that the GraphQL query contains a valid signature in the `X-Signature` HTTP header. * * The signature payload is the GraphQL operation (or operations in case of batching). That means that the query itself * and the variables are signed. But it specifically does **not** include uploaded files. @@ -52,23 +52,23 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface private function verify(ServerRequestInterface $request): void { - $autorization = $request->getHeader('authorization')[0] ?? ''; - if (!$autorization) { + $signature = $request->getHeader('X-Signature')[0] ?? ''; + if (!$signature) { if ($this->isAllowedIp($request)) { return; } - throw new Exception('Missing `Authorization` HTTP header in signed query', 403); + throw new Exception('Missing `X-Signature` HTTP header in signed query', 403); } - if (preg_match('~^v1\.(?\d{10})\.(?[0-9a-f]{64})$~', $autorization, $m)) { + if (preg_match('~^v1\.(?\d{10})\.(?[0-9a-f]{64})$~', $signature, $m)) { $timestamp = $m['timestamp']; $hash = $m['hash']; $this->verifyTimestamp($timestamp); $this->verifyHash($request, $timestamp, $hash); } else { - throw new Exception('Invalid `Authorization` HTTP header in signed query', 403); + throw new Exception('Invalid `X-Signature` HTTP header in signed query', 403); } } diff --git a/tests/Middleware/SignedQueryMiddlewareTest.php b/tests/Middleware/SignedQueryMiddlewareTest.php index a742675..bbd2ca7 100644 --- a/tests/Middleware/SignedQueryMiddlewareTest.php +++ b/tests/Middleware/SignedQueryMiddlewareTest.php @@ -53,7 +53,7 @@ private function process(array $keys, bool $required, string $ip, string $body, $request = $request->withBody(new CallbackStream(fn () => $body))->withParsedBody($parsedBody); if ($signature) { - $request = $request->withHeader('Authorization', $signature); + $request = $request->withHeader('X-Signature', $signature); } $handler = $this->createMock(RequestHandlerInterface::class); @@ -162,7 +162,7 @@ public function dataProviderQuery(): iterable '{"operationName":"CurrentUser","variables":{},"query":"query CurrentUser { viewer { id }}', null, '', - 'Missing `Authorization` HTTP header in signed query', + 'Missing `X-Signature` HTTP header in signed query', ]; yield 'invalid header' => [ @@ -170,7 +170,7 @@ public function dataProviderQuery(): iterable '{"operationName":"CurrentUser","variables":{},"query":"query CurrentUser { viewer { id }}', null, 'foo', - 'Invalid `Authorization` HTTP header in signed query', + 'Invalid `X-Signature` HTTP header in signed query', ]; yield 'no graphql operations' => [