Add SHA384 support for signature authentication.

cdr-chakotay · cdr-chakotay · commit 94fcbd330b90 · 2024-02-27T00:33:41.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,7 @@
+### 0.3.0 / 2023-27-03 ###
+- Change the way the `transloadit` client is initialized. Now it is possible to pass the `sha_384` boolean parameter to the `Transloadit` class to enable the `sha_384` hash algorithm for the signature. The default value is `True` and the `sha_384` algorithm is used. The `sha_384` algorithm is recommended for new integrations and it is required for the new Transloadit accounts. The `sha_1` algorithm is deprecated and it will be removed in the future. For compatibility reasons it is possible to use `sha_1` with the `sha_384` parameter set to `False`. 
+- Added `sha_384` as hash algorithm for the signature authentication.
+
 ### Unreleased
 - Drop Python 3.6 from CI. It has been unsupported since December 2021 and github actions runner don't support anymore (https://github.com/actions/setup-python/issues/544)
 
diff --git a/transloadit/client.py b/transloadit/client.py
@@ -16,6 +16,7 @@ class Transloadit:
         - auth_secret (str): Transloadit auth secret.
         - service (Optional[str]): URL of the Transloadit API.
         - duration (int): How long in seconds for which a Transloadit request should be valid.
+        - sha_384 (bool): Whether to use SHA-384 for signing requests. Defaults to True. If False, SHA-1 is used.
         - request (transloadit.request.Request): An instance of the Transloadit HTTP Request object.
 
     :Constructor Args:
@@ -27,6 +28,8 @@ class Transloadit:
         - duration (Optional[int]):
             How long in seconds for which a Transloadit request should be valid. Defaults to 300
             if not specified.
+        - sha_384 (Optional[bool]):
+            Whether to use SHA-384 for signing requests. Defaults to True. If False, SHA-1 is used.
     """
 
     def __init__(
@@ -35,6 +38,7 @@ def __init__(
         auth_secret: str,
         service: str = "https://api2.transloadit.com",
         duration: int = 300,
+        sha_384: bool = True,
     ):
         if not service.startswith(("http://", "https://")):
             service = "https://" + service
@@ -43,6 +47,7 @@ def __init__(
         self.auth_key = auth_key
         self.auth_secret = auth_secret
         self.duration = duration
+        self.sha_384 = sha_384
         self.request = request.Request(self)
 
     def new_assembly(self, params: dict = None) -> assembly.Assembly:
diff --git a/transloadit/request.py b/transloadit/request.py
@@ -123,9 +123,12 @@ def _to_payload(self, data):
         return {"params": json_data, "signature": self._sign_data(json_data)}
 
     def _sign_data(self, message):
-        return hmac.new(
-            b(self.transloadit.auth_secret), message.encode("utf-8"), hashlib.sha1
-        ).hexdigest()
+        if not self.transloadit.sha_384:
+            return hmac.new(b(self.transloadit.auth_secret), message.encode("utf-8"), hashlib.sha1).hexdigest()
+
+        else:
+            hash_string = hmac.new(b(self.transloadit.auth_secret), message.encode("utf-8"), hashlib.sha384).hexdigest()
+            return f"sha384:{hash_string}"
 
     def _get_full_url(self, url):
         if url.startswith(("http://", "https://")):
