wave hi ya ll i m new to kotlin and spring i have a REST co kotlinlang #spring

:wave: hi, ya'll! i'm new to kotlin and spring; i ...

Adrian Cruz

08/13/2021, 12:56 PM

👋 hi, ya'll! i'm new to kotlin and spring; i have a REST controller that will be receiving webhooks. we want to validate these webhooks with a signature that gets sent over. we currently have a

@RequestBody body: MyDataClass

to get a deserialized object of the payload. but my problem is that i need to pass in the body as a String to validate the signature properly. Is there a proper way to handle this? or do i just update to

@RequestBody body: String

, then do validation, and finally do a manual

ObjectMapper

MyDataClass

Thomas

08/13/2021, 1:01 PM

How about an interceptor validating the signature, for example if the method has a certain annotation?

thanksforallthefish

08/13/2021, 1:22 PM

Copy code

import javax.validation.Valid
import javax.validation.ConstraintValidator
import javax.validation.ConstraintValidatorContext

class Controller {
  @PostMapping //or get, or whatever method your webhook uses
  fun webhook(@Valid @RequestBody body: MyDataClass)
}

class MyDataClass(
  @get:ValidSignature
  val signature: String
)

@Constraint(validatedBy = [ValidSignatureValidator::class])
@Target(AnnotationTarget.CLASS)
@Retention(AnnotationRetention.RUNTIME)
annotation class ValidSignature(
  val message: String = "Some error message",
  val groups: Array<KClass<*>> = [],
  val payload: Array<KClass<*>> = []
)

class ValidSignatureValidator : ConstraintValidator<ValidSignature, String> {

  override fun isValid(value: String, context: ConstraintValidatorContext): Boolean =
    ...

this uses javax validation which I really really like since it gives you all violations at once (should have more) and automatically pinpoints the exact cause of the error. javax validation is a specification, so you need an implementation as well. usually I go with hibernate validator, but there are also kotlin ones which might be more idiomatic (but I never tried them). for instance in gradle

Copy code

implementation "org.hibernate.validator:hibernate-validator"

👓 3

thanksforallthefish

08/13/2021, 1:24 PM

if you are using spring boot all necessary beans are created automatically, I think

thanksforallthefish

08/13/2021, 1:25 PM

this would be a pretty bare bone implementation, you can do a lot more (like message with parameters, error translation, etc) but that requires more configuration ofc

Adrian Cruz

08/13/2021, 1:28 PM

hi, ya'll! thank you for the responses! 🙏

Adrian Cruz

08/13/2021, 1:30 PM

@thanksforallthefish: for your example, would it matter if i'm getting the signature in an HTTP header? currently getting it like so

@RequestHeader(value = "X-XYZCorp-Signature") signature: String,

Adrian Cruz

08/13/2021, 1:31 PM

also, love the slack handle! loved that book! 🐬

thanksforallthefish

08/13/2021, 1:34 PM

@ValidSignature @RequestHeader(value = "X-XYZCorp-Signature") signature: String,

should work in that case

thanksforallthefish

08/13/2021, 1:35 PM

maybe you would also

@Valid

and/or

Copy code

@Validated
class Controller

I am never sure there

Adrian Cruz

08/13/2021, 1:35 PM

i see. brilliant. let me give that a go 👍

kqr

08/13/2021, 1:59 PM

I don't think this will solve your problem, if I understand it correctly

kqr

08/13/2021, 1:59 PM

you have payload and some signature of this payload represented as string

kqr

08/13/2021, 2:00 PM

and you need to hook before spring translates this string into object

kqr

08/13/2021, 2:00 PM

to be able to verify signature

Adrian Cruz

08/13/2021, 2:03 PM

hello, jakub 👋 yes, that's a good summary of what i'd like to do. i'm new to kotlin + spring boot, but the recommendation here won't work?

Adrian Cruz

08/13/2021, 2:04 PM

yes, the signature is HmacSHA256 of payload + secret. that's correct. in case that helps clear up anything

kqr

08/13/2021, 2:06 PM

well first, this is not really related to kotlin but spring, so probably you would get better info in springs gitter chat

kqr

08/13/2021, 2:06 PM

secondly, I can't imagine how would javax.validation help in this context

kqr

08/13/2021, 2:06 PM

so yeah either accept is as a string and do conversion manually after check

kqr

08/13/2021, 2:07 PM

or I would look into filters/interceptors and hook some interceptor before messageconversion

ashmelev

08/13/2021, 2:07 PM

I have solved this by requiring that the JSON fields be in a specific order You can do this by adding these two Jackson annotations to the

@RequestBody

Object: ``

Copy code

@JsonInclude(JsonInclude.Include.ALWAYS)
@JsonPropertyOrder("name", "type", "value")

Then you can simply convert the object to a JSON string, validate and dispose the String. This method also allows to you leave the

@Validated

annotation intact so that Spring can take care of that for you as well

kqr

08/13/2021, 2:08 PM

but this would need to be honored by client too, right?

kqr

08/13/2021, 2:09 PM

and formatting

thanksforallthefish

08/13/2021, 2:18 PM

javax validation also offers cross parameter validation, so it should be possible, but yeah, I did not understand the problem correctly

kqr

08/13/2021, 2:22 PM

but parameters have to be on the same object, no?

Adrian Cruz

08/13/2021, 2:34 PM

got it, thank you all for the feedback! 🙏 i think for now, i will just accept the body as a String and manually convert.

Adrian Cruz

08/13/2021, 2:34 PM

i'm all ears though, if there is a better solution! 👍

thanksforallthefish

08/13/2021, 2:38 PM

@kqr no, there is https://www.baeldung.com/javax-validation-method-constraints#2-using-cross-parameter-constraints personally I find it relatively ugly, the validator receives an array and you access those positionally, but it is a possibility

kqr

08/13/2021, 2:40 PM

thx TIL

5 Views

Open in Slack

Previous Next