HTTP signature verification middleware for Swarmauri
Project description
Swarmauri Middleware HttpSig
HttpSigMiddleware verifies a base64-encoded HMAC-SHA256 signature on every
incoming request body. The middleware compares the provided signature (default
header X-Signature) with one generated from the request payload using a
shared secret. Missing or incorrect signatures are rejected with 401.
Features
- Validates request payloads with an HMAC-SHA256 digest
- Uses constant-time comparisons to mitigate timing attacks
- Configurable signature header via the
header_nameargument - Logs and rejects requests that do not supply a valid signature
Installation
Choose the tool that matches your workflow:
# pip
pip install swarmauri_middleware_httpsig
# Poetry
poetry add swarmauri_middleware_httpsig
# uv
uv add swarmauri_middleware_httpsig
Example
The snippet below wires the middleware into FastAPI via the @app.middleware
decorator, signs a request body, and demonstrates the 401 response that
occurs when a tampered signature is supplied. The middleware raises
HTTPException, so the example also converts those errors to JSON responses.
import base64
import hashlib
import hmac
import json
from fastapi import FastAPI, HTTPException, Request
from fastapi.testclient import TestClient
from fastapi.responses import JSONResponse
from swarmauri_middleware_httpsig import HttpSigMiddleware
app = FastAPI()
http_sig = HttpSigMiddleware(secret_key="supersecret")
@app.middleware("http")
async def verify_signature(request: Request, call_next):
try:
return await http_sig.dispatch(request, call_next)
except HTTPException as exc:
return JSONResponse(status_code=exc.status_code, content={"detail": exc.detail})
@app.post("/echo")
async def echo(payload: dict) -> dict:
return payload
def create_signature(secret: str, body: bytes) -> str:
digest = hmac.new(secret.encode(), body, hashlib.sha256).digest()
return base64.b64encode(digest).decode()
if __name__ == "__main__":
client = TestClient(app)
body = json.dumps({"message": "hello"}).encode()
signature = create_signature("supersecret", body)
ok = client.post(
"/echo",
data=body,
headers={
"X-Signature": signature,
"Content-Type": "application/json",
},
)
assert ok.status_code == 200
print("Verified response:", ok.json())
bad = client.post(
"/echo",
data=body,
headers={
"X-Signature": "tampered",
"Content-Type": "application/json",
},
)
assert bad.status_code == 401
print("Unauthorized status:", bad.status_code)
Want to help?
If you want to contribute to swarmauri-sdk, read up on our guidelines for contributing that will help you get started.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file swarmauri_middleware_httpsig-0.8.0.dev33.tar.gz.
File metadata
- Download URL: swarmauri_middleware_httpsig-0.8.0.dev33.tar.gz
- Upload date:
- Size: 7.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.3 {"installer":{"name":"uv","version":"0.10.3","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
944f8f5816d027c595c2bcc014468a2a6ff17efa9c95071c142091ab5942b573
|
|
| MD5 |
d453b5bc5a329a27034a160595a24727
|
|
| BLAKE2b-256 |
1a6afe3dc6c33a761cc1a4752631e9dfa601f6c8b6ffa6654428c6407c245d30
|
File details
Details for the file swarmauri_middleware_httpsig-0.8.0.dev33-py3-none-any.whl.
File metadata
- Download URL: swarmauri_middleware_httpsig-0.8.0.dev33-py3-none-any.whl
- Upload date:
- Size: 8.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.3 {"installer":{"name":"uv","version":"0.10.3","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4012a6951b68c300dc3c278877c63b46df3c956f57bfdf08885cbfc21bff331a
|
|
| MD5 |
c8ba44b42259800b51e228733c9b401d
|
|
| BLAKE2b-256 |
1cad8fc46e89fee734939aa472564397c35c20e81ddc22d09c7dbf9fac6ddd6a
|