A NuGet package that generates signed query strings.
Currently, only ASP.NET projects are supported. If you can't use it, you need to implement
ISignatureProtectoryourself.
The implementation MUST NOT return the bytes as is, as this would make your signature prone to brute force attacks.
Install two NuGet packages:
SignedUrlandSignedUrl.AspNet
// use dependency injection
builder.Services.AddSingleton<ISignatureProtector, DataProtectionSignatureProtector>();
builder.Services.AddSingleton<IQuerySigner, DigestQuerySigner>();Then consume the IQuerySigner:
public class MyUrlService(IQuerySigner signer) {
public string GenerateSomeUrl() {
var query = new Dictionary<string, string?>
{
{ "time", CurrentUnixTimestamp().ToString() },
};
return "https://example.com/?" + signer.GenerateSignature(query);
}
}The above class will generate a URL like this:
https://example.com/?time=1702855023&s=vJ89aMd%2bkkZaLamPOKuCgGAiuDDRqn7XtIdM%2bXpCYZw%3d
Observations:
- The dictionary containing a key
timeand a value of the current Unix timestamp is appended to the query string - The
sparameter is the signature of the query string
And to verify the signature:
public class MyUrlService(IQuerySigner signer) {
// [...omitted for brevity...]
public bool VerifySomeUrl(string url) {
var query = HttpUtility.ParseQueryString(new Uri(url).Query);
return signer.VerifySignature(query);
}
}- .NET 8
If you want to write extensions, you can use the SignedUrl.Abstractions package, which contains the interfaces used
by the SignedUrl implementations.
The project uses xUnit for testing. To run the tests, run dotnet test in the root directory.
There are 3 NuGet packages that need to be published:
SignedUrlSignedUrl.AbstractionsSignedUrl.AspNet
Make sure all the versions are the same. Then, run dotnet pack in each project directory.
Licensed under MIT.