Backend token authentication

Difficulty level: Difficult


The backend configured on this service requires an authentication token in the URL. If it's missing or invalid, the backend will return a 403 (Forbidden) response. We don't expect requests from end users to include the token, so it needs to be added at the edge.

Use as the backend, and the path /p1/source-1. This endpoint expects to receive the token in a query string parameter named token, in a GET request. For the token to be validated and accepted, the following steps should be performed at the edge:

  1. Let expiryTime be a unix timestamp of a date in the future
  2. Let stringToSign be a string concatenation of the following, without whitespace or delimiters:
    • The request URL Path (e.g. "/foo" - a URL path does not include any query params or the hostname)
    • The value of expiryTime (e.g. "1649328979")
    • The User-Agent header (e.g. "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0")
    • The client IP address (e.g. "")
  3. Let signature be an base64 representation of an HMAC SHA 256 digest of stringToSign, generated using the secret vuVsBZ6JcHn8xtUP.
  4. Let tokenValue be a string concatenation of expiryTime and signature, separated by an underscore character.
  5. Let beReq be a new HTTP Request which has the same method, path and body as the client request
  6. Set the query parameters of beReq to a single entry, with the key "token" set to the value of tokenValue.
  7. Set the headers of beReq to
    • User-Agent: copy from client request
    • X-Client-IP: The IP address of the client
  8. Send beReq to the origin.

For example, this could be a sample request URL:

If the backend is able to recognize and validate the token, it will respond with a 200 (OK) status and a JSON payload.

Try this challenge now

For a guide to how challenges work see getting started.