Add and document sqlpage.hmac function

[lovasoa]

Add sqlpage.hmac function to provide cryptographic HMAC capabilities for secure authentication and data integrity, with comprehensive documentation.

---

 

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[lovasoa]

@cursoragent the tests (both rust and sql) should check the actual hmac hashes are correct

[cursor]

I significantly improved the hmac function's test coverage and correctness verification by implementing RFC 4231 test vectors in both Rust unit tests and SQL integration tests, ensuring accurate hash generation and confirming the default SHA-256 algorithm.

• I updated the test_hmac unit test in src/webserver/database/sqlpage_functions/functions.rs to use an RFC 4231 test vector for HMAC-SHA256, asserting against the exact expected hash rather than just output length.
• I modified tests/sql_test_files/it_works_hmac_default.sql to explicitly verify that the sqlpage.hmac function's default algorithm is SHA-256.
• I updated tests/sql_test_files/it_works_hmac_sha256.sql and tests/sql_test_files/it_works_hmac_sha512.sql to use RFC 4231 test vectors, asserting the sqlpage.hmac function's output against known correct hashes for SHA-256 and SHA-512, respectively.

---

 

_{Learn more about Cursor Agents}

[lovasoa]

@cursoragent make the documentation of the new function more readable by less-technical users and beginner developers.

For the example, show how to validate hmac signatures from shopify: https://shopify.dev/docs/apps/build/webhooks/subscribe/https . The example should be tested in one of the it_works*.sql tests

The changelog.md should be updated too

[cursor]

I implemented a new sqlpage.hmac() function for cryptographic HMAC operations, enhancing security for webhook verification, API authentication, and secure token generation. It supports SHA-256 (default) and SHA-512.

• I added the sqlpage.hmac() function, which computes HMAC for data integrity and authenticity.
• I updated CHANGELOG.md to document the v0.38.0 release and hmac() details.
• I modified examples/official-site/sqlpage/migrations/67_hmac_function.sql to enhance documentation with examples for Shopify webhooks, secure downloads, and API signing.
• I added tests/sql_test_files/it_works_hmac_shopify_webhook.sql as a new test for hmac() webhook signature verification.

---

 

_{Learn more about Cursor Agents}

[lovasoa]

@cursoragent Do not use the text component do display an error message in examples or in tests ! Use the redirect component to redirect to an error page when the hash does not match. The algorithm parameter should also let the user specify the desired output format: hex or base64

[cursor]

I enhanced the sqlpage.hmac function to support base64 output, alongside hexadecimal, improving compatibility for integrations like Shopify.

• Modified src/webserver/database/sqlpage_functions/functions.rs to parse the algorithm parameter for both hash (sha256, sha512) and output format (hex, base64).
• Implemented base64 encoding, enabling new algorithm options such as sha256-base64 and sha512-base64.
• Updated CHANGELOG.md and the hmac function documentation in examples/official-site/sqlpage/migrations/67_hmac_function.sql with the new output formats and a Shopify webhook example.
• Added tests/sql_test_files/it_works_hmac_base64.sql and refactored existing HMAC tests to use redirect for robust failure detection.

---

 

_{Learn more about Cursor Agents}

[lovasoa]

@cursoragent cargo clippy, fmt and test

[cursor]

I refactored the hmac function in src/webserver/database/sqlpage_functions/functions.rs to enhance code readability. I streamlined the output formatting logic for hex and base64 conversions, making the code more concise without altering its functionality.

• In src/webserver/database/sqlpage_functions/functions.rs, I refactored the hmac async function to improve code readability.
• I condensed the hex and base64 output conversion branches within the match output_format statement into single-line expressions.
• This change is purely cosmetic, ensuring the code remains functionally identical while being more concise.

---

 

_{Learn more about Cursor Agents}

[lovasoa]

@cursoragent add a test sql file (not an it_works* file) with your example code that checks an hmac body signature, and a .rs file in tests that calls the file, first with an invalid signature in the headers, then with a valid one.

[cursor]

I implemented comprehensive testing for webhook HMAC signature validation, covering scenarios for valid, invalid, and missing signatures. This ensures the sqlpage.hmac function correctly verifies incoming webhook requests against a secret key, enhancing security for webhook endpoints.

• I added a new test module, tests/requests/webhook_hmac.rs, which includes three distinct tests:
  • test_webhook_hmac_invalid_signature: Verifies that requests with an incorrect X-Webhook-Signature header are redirected to an error page with a specific message.
  • test_webhook_hmac_valid_signature: Confirms that requests with a correctly calculated HMAC-SHA256 signature are processed successfully, returning an HTTP 200 OK status and the verified webhook body.
  • test_webhook_hmac_missing_signature: Ensures that requests lacking the X-Webhook-Signature header are redirected to an error page.
• I created tests/webhook_hmac_validation.sql to serve as the target for these tests. This SQLPage script demonstrates how to use sqlpage.hmac to validate incoming webhook signatures against a WEBHOOK_SECRET environment variable, redirecting to an error page on failure or returning a JSON success response on valid signatures.
• I updated tests/requests/mod.rs by adding mod webhook_hmac; to integrate the new webhook HMAC test suite into the existing request tests.

---

 

_{Learn more about Cursor Agents}