Backend token authentication
Difficulty level: Difficult
Objective
The backend configured on this service requires an authentication token in the URL. If it's missing or invalid, the backend will return a 403
(Forbidden) response. We don't expect requests from end users to include the token, so it needs to be added at the edge.
Use https://cspuzzle-synthetic-backend.global.ssl.fastly.net
as the backend, and the path /p1/source-1
. This endpoint expects to receive the token in a query string parameter named token
, in a GET
request. For the token to be validated and accepted, the following steps should be performed at the edge:
- Let
expiryTime
be a unix timestamp of a date in the future - Let
stringToSign
be a string concatenation of the following, without whitespace or delimiters:- The request URL Path (e.g. "/foo" - a URL path does not include any query params or the hostname)
- The value of
expiryTime
(e.g. "1649328979") - The
User-Agent
header (e.g. "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0") - The client IP address (e.g. "233.252.73.192")
- Let
signature
be an base64 representation of an HMAC SHA 256 digest ofstringToSign
, generated using the secretvuVsBZ6JcHn8xtUP
. - Let
tokenValue
be a string concatenation ofexpiryTime
andsignature
, separated by an underscore character. - Let
beReq
be a new HTTP Request which has the same method, path and body as the client request - Set the query parameters of
beReq
to a single entry, with the key "token" set to the value oftokenValue
. - Set the headers of
beReq
toUser-Agent
: copy from client requestX-Client-IP
: The IP address of the client
- Send
beReq
to the origin.
For example, this could be a sample request URL:
https://cspuzzle-synthetic-backend.global.ssl.fastly.net/p1/source-1?token=2550557975_skZrIHPTKF2tVbIauoIoibQ+9nBFE+38/e4eJKD8ZUw=
If the backend is able to recognize and validate the token, it will respond with a 200
(OK) status and a JSON payload.