Authenticate Reddit API Data w SSL Signature?

#1

I’d like to pull some data from Reddit via the API, but need to authenticate the source to be sure that it hasn’t been tampered with. Ideally I’d like to replicate the process described here in the Stripe API docs:

From what I can tell… this is not possible directly via the Reddit API. I’ve been using Orca, which is an amazing Rust library, to pull data from the API, but I don’t know how to augment it to also sign the data it pulls. Does anyone know how to either manually write a script that combines the Reddit SSL signature along with API data for every request, or modify Orca (or any other Rust Reddit API libraries) to do this?

Thanks :slight_smile:

0 Likes

#2

For reference, here’s the process described in the Stripe docs:


Step 1: Extract the timestamp and signatures from the header

Split the header, using the , character as the separator, to get a list of elements. Then split each element, using the = character as the separator, to get a prefix and value pair.

The value for the prefix t corresponds to the timestamp, and v1 corresponds to the signature(s). You can discard all other elements.


Step 2: Prepare the signed_payload string

You achieve this by concatenating:

  • The timestamp (as a string)
  • The character .
  • The actual JSON payload (i.e., the request’s body)

Step 3: Determine the expected signature

Compute an HMAC with the SHA256 hash function. Use the endpoint’s signing secret as the key, and use the signed_payload string as the message.


Step 4: Compare signatures

Compare the signature(s) in the header to the expected signature. If a signature matches, compute the difference between the current timestamp and the received timestamp, then decide if the difference is within your tolerance.

To protect against timing attacks, use a constant-time string comparison to compare the expected signature to each of the received signatures.

0 Likes