Verify Requests
For the sake of security, all requests coming from Space must be checked for authenticity. Space SDK lets you implement both methods of verifying Space requests: via a verification token and via a signing key .
Verifying requests using a verification token
The idea behind the method is to compare the verification token in the request body with the request your application obtained during registration in Space. As the verification token is a part of the payload, the SDK provides an extension method for the ApplicationPayload
class:
true
if verificationToken
is equal to the token in the payload. This is how a simple implementation of this method can look like:
Verifying requests using a signing key
We recommend using verification with a signing key instead of the verification token method as it is more secure.
The idea of this method is that Space uses a special signing key to calculate hash for every request it sends to your application. The application should calculate the hash as well and compare it to the hash in the request.
There are no helper functions in Space SDK for this method, so, our task is to implement the verification logic described in Verify Requests from Space. To calculate hash, you can use the Apache Commons Codec library. To reference it from a Gradle project, add the following lines to build.gradle
:
To
repositories
:repositories { jcenter() // ... other repos }To
dependencies
:dependencies { compile group: 'commons-codec', name: 'commons-codec', version: '1.15' // ... other dependencies }
This is how a simple implementation of this method can look like: