feat: Add sqlpage.hmac function for cryptographic signing

Co-authored-by: contact <[email protected]>

Author: cursoragent

Cargo.toml

@@ -61,6 +61,8 @@ actix-web-httpauth = "0.8.0"
 rand = "0.9.0"
 actix-multipart = "0.7.2"
 base64 = "0.22"
+hmac = "0.12"
+sha2 = "0.10"
 rustls-acme = "0.14"
 dotenvy = "0.15.7"
 csv-async = { version = "1.2.6", features = ["tokio"] }

HMAC_FEATURE_SUMMARY.md

@@ -0,0 +1,160 @@
+# SQLPage HMAC Function - Feature Summary
+
+## Overview
+This document summarizes the addition of the `sqlpage.hmac()` function to SQLPage, which provides cryptographic HMAC (Hash-based Message Authentication Code) capabilities.
+
+## Changes Made
+
+### 1. Dependencies Added (Cargo.toml)
+- `hmac = "0.12"` - HMAC implementation from RustCrypto
+- `sha2 = "0.10"` - SHA-2 family of hash functions
+
+### 2. Function Implementation (src/webserver/database/sqlpage_functions/functions.rs)
+
+#### Function Declaration
+```rust
+hmac(data: Option<Cow<str>>, key: Option<Cow<str>>, algorithm: Option<Cow<str>>);
+```
+
+#### Implementation Features
+- **Parameters:**
+  - `data`: The input data to compute HMAC for
+  - `key`: The secret key used for HMAC
+  - `algorithm`: Optional hash algorithm (defaults to "sha256")
+
+- **Supported Algorithms:**
+  - `sha256` (default)
+  - `sha512`
+
+- **Return Value:**
+  - Hexadecimal string representation of the HMAC
+  - Returns NULL if either data or key is NULL
+
+- **Security:**
+  - Uses industry-standard RustCrypto libraries
+  - Constant-time comparison available via HMAC library
+  - Proper error handling for invalid inputs
+
+### 3. Documentation (examples/official-site/sqlpage/migrations/08_functions.sql)
+
+Added comprehensive documentation including:
+- Function description with Wikipedia link
+- Common use cases (API authentication, webhook verification, token generation)
+- Three detailed code examples:
+  1. API request signing
+  2. Webhook signature verification
+  3. Secure download tokens
+- Security notes and best practices
+- Parameter descriptions
+
+### 4. Interactive Example (examples/official-site/examples/hmac.sql)
+
+Created a full interactive example page that allows users to:
+- Try the HMAC function with custom data and keys
+- Select different hash algorithms
+- See the resulting signature
+- Learn about verification techniques
+- Understand real-world use cases
+
+### 5. Test Suite (tests/sql_test_files/)
+
+Added four test files:
+- `it_works_hmac_sha256.sql` - Test SHA-256 algorithm
+- `it_works_hmac_sha512.sql` - Test SHA-512 algorithm
+- `it_works_hmac_default.sql` - Test default algorithm behavior
+- `it_works_hmac_null.sql` - Test NULL handling
+
+## Usage Examples
+
+### Basic Usage
+```sql
+SELECT sqlpage.hmac('Hello, World!', 'secret-key', 'sha256') as signature;
+```
+
+### API Request Signing
+```sql
+SELECT sqlpage.hmac(
+    'user_id=123&action=update',
+    'my-secret-api-key',
+    'sha256'
+) as request_signature;
+```
+
+### Webhook Verification
+```sql
+SELECT 
+    CASE 
+        WHEN sqlpage.hmac(sqlpage.request_body(), 'webhook-secret', 'sha256') = :signature
+        THEN 'Valid webhook'
+        ELSE 'Invalid signature'
+    END as status;
+```
+
+### Secure Token Generation
+```sql
+INSERT INTO download_tokens (file_id, token, expires_at)
+VALUES (
+    :file_id,
+    sqlpage.hmac(
+        :file_id || '|' || datetime('now', '+1 hour'),
+        sqlpage.environment_variable('SECRET_KEY'),
+        'sha256'
+    ),
+    datetime('now', '+1 hour')
+);
+```
+
+## Security Considerations
+
+1. **Key Management:**
+   - Keys should be stored securely using environment variables
+   - Never hardcode keys in SQL files or expose them client-side
+   - Use `sqlpage.environment_variable()` to access keys
+
+2. **Algorithm Selection:**
+   - SHA-256 is the default and suitable for most use cases
+   - SHA-512 provides additional security for highly sensitive applications
+   - Both algorithms are cryptographically secure
+
+3. **Key Length:**
+   - Keys can be of any length
+   - For maximum security, use keys at least as long as the hash output:
+     - SHA-256: 32 bytes (64 hex characters)
+     - SHA-512: 64 bytes (128 hex characters)
+
+## Testing
+
+To run the tests:
+```bash
+cargo test
+```
+
+The test suite includes:
+- Algorithm verification (SHA-256, SHA-512)
+- Default parameter handling
+- NULL value handling
+- Integration with SQLPage's query execution
+
+## Documentation Links
+
+Once deployed, the function will be documented at:
+- Function reference: `/functions.sql?function=hmac`
+- Interactive example: `/examples/hmac.sql`
+
+## Version
+
+Introduced in SQLPage version **0.38.0**
+
+## Files Modified
+
+1. `/workspace/Cargo.toml` - Added dependencies
+2. `/workspace/src/webserver/database/sqlpage_functions/functions.rs` - Implementation
+3. `/workspace/examples/official-site/sqlpage/migrations/08_functions.sql` - Documentation
+4. `/workspace/examples/official-site/examples/hmac.sql` - Interactive example
+5. `/workspace/tests/sql_test_files/it_works_hmac_*.sql` - Test suite
+
+## Related Functions
+
+- `sqlpage.hash_password()` - Password hashing using Argon2
+- `sqlpage.random_string()` - Generate cryptographically secure random strings
+- `sqlpage.environment_variable()` - Access environment variables for secrets

examples/official-site/examples/hmac.sql

@@ -0,0 +1,118 @@
+select 'dynamic' as component, properties FROM example WHERE component = 'shell' LIMIT 1;
+
+select 'text' as component, '
+
+# HMAC (Hash-based Message Authentication Code)
+
+In SQLPage, you can use the [`sqlpage.hmac`](/functions.sql?function=hmac) function to
+compute a cryptographic signature for your data. HMAC is a type of message authentication code
+that uses a cryptographic hash function and a secret key to verify both the data integrity
+and authenticity of a message.
+
+HMAC is commonly used for:
+ - **API authentication**: Generate secure signatures for API requests
+ - **Webhook verification**: Verify that webhook requests are authentic and haven''t been tampered with
+ - **Token generation**: Create secure tokens for downloads, password resets, or temporary access
+ - **Data integrity**: Ensure data hasn''t been modified during transmission or storage
+
+The `sqlpage.hmac` function takes three parameters:
+1. **data**: The message or data to be signed
+2. **key**: A secret key that should be kept confidential
+3. **algorithm**: The hash algorithm to use (optional, defaults to `sha256`)
+
+The function returns a hexadecimal string that represents the HMAC signature.
+
+## Security Notes
+
+ - Keep your secret keys secure and never expose them in client-side code or version control
+ - Use environment variables to store secret keys: `sqlpage.environment_variable(''SECRET_KEY'')`
+ - For maximum security, use a key that is at least as long as the hash output
+ - HMAC is deterministic: the same data and key will always produce the same signature
+
+## Example Use Cases
+
+### 1. API Request Signing
+
+Generate a signature for API requests to verify they haven''t been tampered with:
+
+```sql
+SELECT sqlpage.hmac(
+    ''user_id=123&action=update&timestamp='' || strftime(''%s'', ''now''),
+    sqlpage.environment_variable(''API_SECRET''),
+    ''sha256''
+) as request_signature;
+```
+
+### 2. Webhook Signature Verification
+
+Verify that a webhook request is authentic by comparing signatures:
+
+```sql
+SELECT 
+    CASE 
+        WHEN sqlpage.hmac(sqlpage.request_body(), ''webhook-secret'', ''sha256'') = :signature
+        THEN ''Valid webhook''
+        ELSE ''Invalid signature - request rejected''
+    END as status;
+```
+
+### 3. Secure Download Tokens
+
+Create time-limited download tokens that can be verified without storing them:
+
+```sql
+INSERT INTO download_tokens (file_id, token, expires_at)
+VALUES (
+    :file_id,
+    sqlpage.hmac(
+        :file_id || ''|'' || datetime(''now'', ''+1 hour''),
+        sqlpage.environment_variable(''DOWNLOAD_SECRET''),
+        ''sha256''
+    ),
+    datetime(''now'', ''+1 hour'')
+);
+```
+
+# Try it out
+
+You can try the HMAC function out by entering data, a secret key, and selecting an algorithm below.
+' as contents_md;
+
+select 'form' as component, 'Generate HMAC' as validate;
+select 'data' as name, 'text' as type, 'Data to Sign' as label, 
+       'Enter the data you want to sign' as placeholder,
+       coalesce(:data, 'Hello, World!') as value;
+select 'key' as name, 'text' as type, 'Secret Key' as label,
+       'Enter your secret key' as placeholder,
+       coalesce(:key, 'my-secret-key') as value;
+select 'algorithm' as name, 'select' as type, 'Hash Algorithm' as label;
+select 'sha256' as value, :algorithm = 'sha256' or :algorithm is null as selected;
+select 'sha512' as value, :algorithm = 'sha512' as selected;
+
+select 'text' as component, '
+
+### HMAC Signature
+
+The HMAC signature for your data is:
+
+```
+' || sqlpage.hmac(:data, :key, :algorithm) || '
+```
+
+### Verification
+
+To verify data later, simply recompute the HMAC with the same key and algorithm,
+then compare the result with the original signature. If they match, the data is authentic and unmodified.
+
+### Example Verification Code
+
+```sql
+SELECT 
+    CASE 
+        WHEN sqlpage.hmac(:received_data, :secret_key, :algorithm) = :stored_signature
+        THEN ''Data is authentic''
+        ELSE ''Data has been tampered with''
+    END as verification_result;
+```
+' as contents_md
+where :data is not null and :key is not null;

examples/official-site/sqlpage/migrations/08_functions.sql

@@ -401,4 +401,101 @@ VALUES (
         'string',
         'The string to encode.',
         'TEXT'
+    );
+INSERT INTO sqlpage_functions (
+        "name",
+        "introduced_in_version",
+        "icon",
+        "description_md"
+    )
+VALUES (
+        'hmac',
+        '0.38.0',
+        'shield-lock',
+        'Computes the [HMAC](https://en.wikipedia.org/wiki/HMAC) (Hash-based Message Authentication Code) of the input data using a secret key and a cryptographic hash function.
+
+HMAC is used to verify both the data integrity and authenticity of a message. It is commonly used for:
+ - Generating secure tokens and signatures
+ - API request authentication
+ - Webhook signature verification
+ - Data integrity validation
+
+### Example
+
+#### Generate an HMAC for API authentication
+
+```sql
+-- Generate a secure signature for an API request
+SELECT sqlpage.hmac(
+    ''user_id=123&action=update'',
+    ''my-secret-api-key'',
+    ''sha256''
+) as request_signature;
+```
+
+#### Verify a webhook signature
+
+```sql
+-- Verify that a webhook request is authentic
+SELECT 
+    CASE 
+        WHEN sqlpage.hmac(sqlpage.request_body(), ''webhook-secret'', ''sha256'') = :signature
+        THEN ''Valid webhook''
+        ELSE ''Invalid signature''
+    END as status;
+```
+
+#### Create a secure download token
+
+```sql
+-- Generate a time-limited download token
+INSERT INTO download_tokens (file_id, token, expires_at)
+VALUES (
+    :file_id,
+    sqlpage.hmac(
+        :file_id || ''|'' || datetime(''now'', ''+1 hour''),
+        sqlpage.environment_variable(''SECRET_KEY''),
+        ''sha256''
+    ),
+    datetime(''now'', ''+1 hour'')
+);
+```
+
+### Notes
+
+ - The function returns a hexadecimal string representation of the HMAC.
+ - If either `data` or `key` is NULL, the function returns NULL.
+ - The `algorithm` parameter is optional and defaults to `sha256` if not specified.
+ - Supported algorithms: `sha256`, `sha512`.
+ - The key can be of any length. For maximum security, use a key that is at least as long as the hash output (32 bytes for SHA-256, 64 bytes for SHA-512).
+ - Keep your secret keys secure and never expose them in client-side code or version control.
+'
+    );
+INSERT INTO sqlpage_function_parameters (
+        "function",
+        "index",
+        "name",
+        "description_md",
+        "type"
+    )
+VALUES (
+        'hmac',
+        1,
+        'data',
+        'The input data to compute the HMAC for. Can be any text string.',
+        'TEXT'
+    ),
+    (
+        'hmac',
+        2,
+        'key',
+        'The secret key used to compute the HMAC. Should be kept confidential.',
+        'TEXT'
+    ),
+    (
+        'hmac',
+        3,
+        'algorithm',
+        'The hash algorithm to use. Optional, defaults to `sha256`. Supported values: `sha256`, `sha512`.',
+        'TEXT'
     );