Conversation
esodot
commented
Oct 8, 2025
esodot
commented
- Blockfrost webhook signature validation and verification functionality
- Refactoring and dependency updates
- Blockfrost webhook signature validation and verification functionality - Refactoring and dependency updates
- Export the src/utils/blockfrost_signature_validator.dart
- Add own utils export file to control the exported files from utils folder. - Use utils_exports.dart in main export file
- Add own utils export file to control the exported files from utils folder. - Use utils_exports.dart in main export file
|
Hi @esodot, thanks for the contribution! (there is a "Edit this page" button at the bottom) There is a bounty of 100 ADA for the task blockfrost/blockfrost.dev#8 and you already did the hard part 🚀 |
|
Hi @slowbackspace, thank you. I'm currently preparing the usage examples for the dart SDK and will create a pull request there ASAP. |
|
@slowbackspace added PR into documentation repo: blockfrost/blockfrost.dev#60 |
slowbackspace
left a comment
slowbackspace
left a comment
There was a problem hiding this comment.
Good job! Just a few changes required.
In general:
- The API for the verification function should stay consistent across all SDKs (order of fn parameters, same amount of configurability, same defaults, errors on failure)
- Instead of returning false, throw a custom error/exception in every failure case.
And don't forget to send your ADA address to receive the bounty once the PR is merged. Sadly there is a bounty is for the both sdk implementation and documentation so we can either send it to one address or split it between two.
| import 'package:blockfrost_api/src/utils/signature_validator.dart'; | ||
| import 'package:crypto/crypto.dart'; | ||
|
|
||
| const int maxToleranceSeconds = 60; |
There was a problem hiding this comment.
please make this configurable by using it as a fn param in BlockfrostSignatureValidator.validate with default of 600s. It should mimic TS/Python interface as closest as possible.
https://github.com/blockfrost/blockfrost-js/blob/master/src/utils/helpers.ts#L211
| /// Adapter class which implements the validator interface to validate the blockfrost webhook signature. | ||
| class BlockfrostSignatureValidator implements SignatureValidator { | ||
| @override | ||
| bool validate({ |
There was a problem hiding this comment.
Can you please change the order of the params to match the node.js, python and ruby SDK implementation
https://github.com/blockfrost/blockfrost-python/blob/master/blockfrost/helpers.py#L18
https://github.com/blockfrost/blockfrost-js/blob/master/src/utils/helpers.ts#L211
| providedSignatures.any((sig) => sig == expectedSignature); | ||
|
|
||
| if (!signatureMatch) { | ||
| print('Verification Failed: Signatures do not match.'); |
There was a problem hiding this comment.
Leaking the expected HMAC = leaking an auth token for that payload+timestamp.
If anyone with log access sees the expected signature for the payload, they can replay the request within the tolerance window by sending the same body with t and v1 values from the logs.
If possible throw an error similiar to python/node.js implementation with signature header and payload attached. Don't print expected signature.
https://github.com/blockfrost/blockfrost-js/blob/master/src/utils/helpers.ts#L285-L291
| print("timeDifference: $timeDifference"); | ||
|
|
||
| if (timeDifference > maxToleranceSeconds) { | ||
| print( |
There was a problem hiding this comment.
same as above, please throw an error instead of using print fn
- Refactor print messages. - Add SignatureValidationException. - Use signature_validation_exception.dart in main export file.
|
@slowbackspace Thank you for your review. I did the needed changes. Please review again. Also updated the PR in blockfrost.dev repo: blockfrost/blockfrost.dev#60 Regarding Bounty, please use this address: |
|
Hi @slowbackspace any updates? |
slowbackspace
left a comment
slowbackspace
left a comment
There was a problem hiding this comment.
Sorry for the delay. LGTM! The 100 ADA bounty will be paid shortly.
|
if its simpler for you use the ada handle: "adam.app" |
Any updates here? |
@slowbackspace are you going to send it or not? |
|
@andro-devs sorry, it's been super busy and the payment got stuck with the accounting department for a bit. we’ve sent something extra to make up for the delay. tx fa9ad51ace3096c65cd97bc30533ea927d3f9e55dff0a806e764f3f0c9701746 |
3 participants
