makes openrtb request signing opt in

ChristianPavilonis · ChristianPavilonis · commit 78bd6f29bb40 · 2025-11-10T14:03:23.000-06:00
diff --git a/crates/common/src/prebid_proxy.rs b/crates/common/src/prebid_proxy.rs
@@ -175,23 +175,26 @@ fn enhance_openrtb_request(
         });
     }
 
-    // Add trusted server signature
-    if request["id"].is_string() {
-        if !request["ext"].is_object() {
-            request["ext"] = json!({});
-        }
+    // Add trusted server signature (if enabled)
+    if let Some(request_signing_config) = &settings.request_signing {
+        if request_signing_config.enabled && request["id"].is_string() {
+            log::info!("signing openrtb request...");
+            if !request["ext"].is_object() {
+                request["ext"] = json!({});
+            }
 
-        let id = request["id"]
-            .as_str()
-            .expect("as_str guaranteed by is_string check");
+            let id = request["id"]
+                .as_str()
+                .expect("as_str guaranteed by is_string check");
 
-        let signer = RequestSigner::from_config()?;
-        let signature = signer.sign(id.as_bytes())?;
+            let signer = RequestSigner::from_config()?;
+            let signature = signer.sign(id.as_bytes())?;
 
-        request["ext"]["trusted_server"] = json!({
-            "signature": signature,
-            "kid": signer.kid
-        });
+            request["ext"]["trusted_server"] = json!({
+                "signature": signature,
+                "kid": signer.kid
+            });
+        }
     }
 
     Ok(())
diff --git a/crates/common/src/request_signing/jwks.rs b/crates/common/src/request_signing/jwks.rs
@@ -74,8 +74,7 @@ pub fn get_active_jwks() -> Result<String, TrustedServerError> {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use base64::{engine::general_purpose, Engine};
-    use ed25519_dalek::SigningKey;
+    use ed25519_dalek::{SigningKey, Signer, Verifier};
     use jose_jwk::Key;
 
     #[test]
diff --git a/crates/common/src/settings.rs b/crates/common/src/settings.rs
@@ -126,10 +126,16 @@ impl Handler {
 
 #[derive(Debug, Default, Deserialize, Serialize)]
 pub struct RequestSigning {
+    #[serde(default = "default_request_signing_enabled")]
+    pub enabled: bool,
     pub config_store_id: String,
     pub secret_store_id: String,
 }
 
+fn default_request_signing_enabled() -> bool {
+    false
+}
+
 #[derive(Debug, Default, Deserialize, Serialize, Validate)]
 pub struct Settings {
     #[validate(nested)]
diff --git a/trusted-server.toml b/trusted-server.toml
@@ -32,3 +32,10 @@ template = "{{ client_ip }}:{{ user_agent }}:{{ first_party_id }}:{{ auth_user_i
 # Custom headers to be included in every response
 [response_headers]
 X-Custom-Header = "custom header value"
+
+# Request Signing Configuration
+# Enable signing of OpenRTB requests and other API calls
+[request_signing]
+enabled = false  # Set to true to enable request signing
+config_store_id = "<fastly-config-store-id>" # set config/secret store ids for key rotation
+secret_store_id = "<fastly-secret-store-id>"
