Verify Requests from Space
For the sake of security, all requests coming from Space must be checked for authenticity. Space provides a number of verification methods.
This topic provides you instructions on how to implement request verification in your application using the Space SDK:
SSL client certificate
SSL request encryption happens on the web server level. To use this method, you must configure the web server that hosts your application.
HTTP authentication
Space SDK doesn't provide any helper methods to perform this type of verification. Most of the modern frameworks provide support for HTTP authentication out of the box. For example, here you can find the instructions for Ktor.
For general instructions on verification methods, refer to this topic.
(Recommended) Verifying requests using a public key
We recommend using verification with a public key instead of other methods as it is more secure.
This verification method is based on asymmetric encryption. For every request sent to your application, Space creates a signature: It calculates a request hash and encrypts it using a private key. The application should verify the signature: calculate the hash as well, decrypt the signature received from Space, and compare two hashes. To decrypt the signature, the application must use a public key obtained from Space. Learn more
Space SDK supports this verification type out of the box. A Space client provides the verifyWithPublicKey()
method that handles the entire signature verification process. To verify the signature, the method requires the request body and the content of the X-Space-Public-Key-Signature
and X-Space-Timestamp
HTTP headers.
For example, this is how you can use this method to verify requests in your application:
Verifying requests using a signing key
The idea of this method is that Space uses a special signing key to calculate hash for every request it sends to your application. The application should calculate the hash as well and compare it to the hash in the request.
There are no helper functions in Space SDK for this method, so, our task is to implement the verification logic described in Verify Requests from Space. To calculate hash, you can use the Apache Commons Codec library. To reference it from a Gradle project, add the following lines to build.gradle
:
To
repositories
:repositories { jcenter() // ... other repos }To
dependencies
:dependencies { compile group: 'commons-codec', name: 'commons-codec', version: '1.15' // ... other dependencies }
This is how a simple implementation of this method can look like:
(Obsolete) Verifying requests using a verification token
The idea behind the method is to compare the verification token in the request body with the request your application obtained during registration in Space. As the verification token is a part of the payload, the SDK provides an extension method for the ApplicationPayload
class:
true
if verificationToken
is equal to the token in the payload.This is how a simple implementation of this method can look like: