Fix X-Matrix signature validation for incoming requests (!104) · Merge requests · Matrix projects / Grapevine

Lambda requested to merge lambda/fix-incoming-x-matrix-uri into main Sep 18, 2024

For HTTP/1 requests, an inbound Request's URI contains only the path and query parameters, since there's no way to synthesize the authority part. This is exactly what we need for the X-Matrix "uri" field.

HTTP/2 requests however can contain the :authority pseudo-header, which is used to populate the Request's URI. Using a URL that includes an authority breaks the signature check.

Largely inspired by conduit MR !631.

Fix X-Matrix signature validation for incoming requests

Merge request reports