Backend token authentication
Difficulty level: Difficult
The backend configured on this service requires an authentication token in the URL. If it's missing or invalid, the backend will return a
403 (Forbidden) response. We don't expect requests from end users to include the token, so it needs to be added at the edge.
https://cspuzzle-synthetic-backend.global.ssl.fastly.net as the backend, and the path
/p1/source-1. This endpoint expects to receive the token in a query string parameter named
token, in a
GET request. For the token to be validated and accepted, the following steps should be performed at the edge:
expiryTimebe a unix timestamp of a date in the future
stringToSignbe a string concatenation of the following, without whitespace or delimiters:
- The request URL Path (e.g. "/foo" - a URL path does not include any query params or the hostname)
- The value of
User-Agentheader (e.g. "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0")
- The client IP address (e.g. "22.214.171.124")
signaturebe an base64 representation of an HMAC SHA 256 digest of
stringToSign, generated using the secret
tokenValuebe a string concatenation of
signature, separated by an underscore character.
beReqbe a new HTTP Request which has the same method, path and body as the client request
- Set the query parameters of
beReqto a single entry, with the key "token" set to the value of
- Set the headers of
User-Agent: copy from client request
X-Client-IP: The IP address of the client
beReqto the origin.
For example, this could be a sample request URL:
If the backend is able to recognize and validate the token, it will respond with a
200 (OK) status and a JSON payload.