Verify results
| While the client can trust the authenticity of the received data, a remote service must not assume that the client will forward it unchanged. To ensure trust in data from untrusted sources, your services must always verify its signature. |
All service results are authenticated with an HMAC, include a timestamp, and carry your ticket identifier. To validate the results, your backend needs to verify the HMAC of the result data and ensure the ticket identifier matches the expected value. Usually, a JWT library for your backend can help with this verification process.
Verifying results in your backend:
-
Python
-
Java
-
Node.js
-
Rust
-
PHP
import jwt
result = jwt.decode(token, HMAC_KEY, algorithms=["HS256"])
assert result["data"]["ticketId"] == issued_ticket_id
Jws<Claims> jwsClaims = Jwts.parserBuilder()
.setSigningKey(Keys.hmacShaKeyFor(HMAC_KEY))
.build()
.parseClaimsJws(token);
@SuppressWarnings("unchecked")
Map<String, Object> data = (Map<String, Object>) jwsClaims.getPayload().get("data");
assert data.get("ticketId").equals(issuedTicketId)
let data = jwt.verify(token, HMAC_KEY).data
assert.equal(data.ticketId, issuedTicketId)
let result = jsonwebtoken::decode::<serde_json::Value>(
token,
&jsonwebtoken::DecodingKey::from_secret(HMAC_KEY),
&jsonwebtoken::Validation::new(jsonwebtoken::Algorithm::HS256),
)?;
assert_eq!(
result.claims.get("data")?.get("ticketId")?,
issued_ticket_id
);
$result = Firebase\JWT\JWT::decode(
$token,
new Firebase\JWT\Key($HMAC_KEY, 'HS256')
);
if ($result->data->ticketId != $issuedTicketId)
throw new Exception("Unexpected ticket ID");