feat: action v2 signing (#8779)

# Which Problems Are Solved The action v2 messages were didn't contain anything providing security for the sent content. # How the Problems Are Solved Each Target now has a SigningKey, which can also be newly generated through the API and returned at creation and through the Get-Endpoints. There is now a HTTP header "Zitadel-Signature", which is generated with the SigningKey and Payload, and also contains a timestamp to check with a tolerance if the message took to long to sent. # Additional Changes The functionality to create and check the signature is provided in the pkg/actions package, and can be reused in the SDK. # Additional Context Closes #7924 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-11 18:07:31 +00:00 · 2024-11-28 11:06:52 +01:00
parent 8537805ea5
commit 7caa43ab23
37 changed files with 745 additions and 122 deletions
--- a/docs/docs/apis/actions/v3/testing-locally.md
+++ b/docs/docs/apis/actions/v3/testing-locally.md
@@ -48,6 +48,20 @@ func main() {

 What happens here is only a target which prints out the received request, which could also be handled with a different logic.

+### Check Signature
+
+To additionally check the signature header you can add the following to the example:
+```go
+	// validate signature
+	if err := actions.ValidatePayload(sentBody, req.Header.Get(actions.SigningHeader), signingKey); err != nil {
+		// if the signed content is not equal the sent content return an error
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+```
+
+Where you can replace 'signingKey' with the key received in the next step 'Create target'.
+
 ## Create target

 As you see in the example above the target is created with HTTP and port '8090' and if we want to use it as webhook, the target can be created as follows:
--- a/docs/docs/apis/actions/v3/usage.md
+++ b/docs/docs/apis/actions/v3/usage.md
@@ -64,6 +64,13 @@ There are different types of Targets:

 The API documentation to create a target can be found [here](/apis/resources/action_service_v3/zitadel-actions-create-target)

+### Content Signing
+
+To ensure the integrity of request content, each call includes a 'ZITADEL-Signature' in the headers. This header contains an HMAC value computed from the request content and a timestamp, which can be used to time out requests. The logic for this process is provided in 'pkg/actions/signing.go'. The goal is to verify that the HMAC value in the header matches the HMAC value computed by the Target, ensuring that the sent and received requests are identical.
+
+Each Target resource now contains also a Signing Key, which gets generated and returned when a Target is [created](/apis/resources/action_service_v3/zitadel-actions-create-target),
+and can also be newly generated when a Target is [patched](/apis/resources/action_service_v3/zitadel-actions-patch-target).
+
 ## Execution

 ZITADEL decides on specific conditions if one or more Targets have to be called.
--- a/docs/package.json
+++ b/docs/package.json
@@ -17,7 +17,7 @@
    "generate:grpc": "buf generate ../proto",
    "generate:apidocs": "docusaurus gen-api-docs all",
    "generate:configdocs": "cp -r ../cmd/defaults.yaml ./docs/self-hosting/manage/configure/ && cp -r ../cmd/setup/steps.yaml ./docs/self-hosting/manage/configure/",
-    "generate:re-gen": "yarn clean-all && yarn gen-all",
+    "generate:re-gen": "yarn generate:clean-all && yarn generate",
    "generate:clean-all": "docusaurus clean-api-docs all"
  },
  "dependencies": {