HMAC Client and Server Interceptor for golang grpc
go get github.com/travix/protoc-gen-gotf
✏️ Example
Add required interceptors to grpc server options
// getSecrets implements hmac.GetSecret func type that returns secret key for given keyId
interceptor := hmac.NewServerInterceptor(getSecrets)
opts := []grpc.ServerOption{
interceptor.UnaryInterceptor(),
interceptor.StreamInterceptor(),
// ... other options
}
server := grpc.NewServer(opts...)
Add required interceptors to grpc client options
// keyId for which secret_key is returned by hmac.GetSecret func type on server side
interceptor := hmac.NewClientInterceptor(keyId, secret_key)
opts := []grpc.DialOption{
interceptor.WithUnaryInterceptor(),
interceptor.WithStreamInterceptor(),
// ... other options
}
conn, err := grpc.Dial(addr, opts...)
HMAC is generated using
- Request payload encoded using gob encoder, full method name concatenated with
;
as separator - If request payload is empty, then only full method name is used.
- Generated message is encrypted with given secret using SHA512_256
Authentication flow
- Client interceptor adds
x-hmac-key-id
andx-hmac-signature
to outgoing request context. - Server interceptor reads
x-hmac-key-id
andx-hmac-signature
from incoming request context and verifies the signature using secret independently fetched on server using given key id. - If signature is valid, request is processed, otherwise
Unauthenticated
error is returned.