Backend token authentication
Difficulty level: Difficult
Objective
The backend configured on this service requires an authentication token in the URL. If it's missing or invalid, the backend will return a 403 (Forbidden) response. We don't expect requests from end users to include the token, so it needs to be added at the edge.
Use https://cspuzzle-synthetic-backend.global.ssl.fastly.net as the backend, and the path /p1/source-1. This endpoint expects to receive the token in a query string parameter named token, in a GET request. For the token to be validated and accepted, the following steps should be performed at the edge:
- Let
expiryTimebe a unix timestamp of a date in the future - Let
stringToSignbe a string concatenation of the following, without whitespace or delimiters:- The request URL Path (e.g. "/foo" - a URL path does not include any query params or the hostname)
- The value of
expiryTime(e.g. "1649328979") - The
User-Agentheader (e.g. "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0") - The client IP address (e.g. "233.252.73.192")
- Let
signaturebe an base64 representation of an HMAC SHA 256 digest ofstringToSign, generated using the secretvuVsBZ6JcHn8xtUP. - Let
tokenValuebe a string concatenation ofexpiryTimeandsignature, separated by an underscore character. - Let
beReqbe a new HTTP Request which has the same method, path and body as the client request - Set the query parameters of
beReqto a single entry, with the key "token" set to the value oftokenValue. - Set the headers of
beReqtoUser-Agent: copy from client requestX-Client-IP: The IP address of the client
- Send
beReqto the origin.
For example, this could be a sample request URL:
https://cspuzzle-synthetic-backend.global.ssl.fastly.net/p1/source-1?token=2550557975_skZrIHPTKF2tVbIauoIoibQ+9nBFE+38/e4eJKD8ZUw=If the backend is able to recognize and validate the token, it will respond with a 200 (OK) status and a JSON payload.