Add payload hash to signer JWT claims#356
Merged
jclapis merged 141 commits intosigp-audit-fixesfrom Sep 2, 2025
Merged
Conversation
…he source" This reverts commit 58c6117.
ltitanb
requested changes
Aug 14, 2025
| The token **must include** the following claims: | ||
| - `exp` (integer): Expiration timestamp | ||
| - `module` (string): The ID of the module making the request, which must match a module ID in the Commit-Boost configuration file. | ||
| - `payload_hash` (string): The Keccak-256 hash of the JSON-encoded request body, with optional `0x` prefix. This is required to prevent JWT replay attacks. |
Collaborator
There was a problem hiding this comment.
Json is not an ideal serialization format to hash, let's use ssz with the nonce and object root. As an optimization, we could re use that root directly when providing the signature
Collaborator
Author
There was a problem hiding this comment.
Ok, but note that this isn't exclusive to signing requests - any request made to the server with a body (e.g., any request that uses POST) needs to do this, which means we need to define SSZ types for every request and have the user conform to those.
Co-authored-by: ltitanb <163874448+ltitanb@users.noreply.github.com>
Co-authored-by: ltitanb <163874448+ltitanb@users.noreply.github.com>
ltitanb
approved these changes
Sep 1, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is part 2 of the update on CBST2-01, following #354 and #353. This solves one of the issues found within the audit by making all of the routes with a request body (e.g., the
POSTroutes) encode the Keccak256 hash of the payload body into the JWT claims for the request's auth header. Doing so means JWTs can't be intercepted and reused for unrelated requests, such as for signing different things other than what the original request was for. This affects all routes, including the new/revoke_jwtand/reloadones.