Vulnerable Components in Actix with Hmac Signatures

Actix-web is a popular Rust framework for building HTTP services. When HMAC signatures are used for request authentication, the interaction between Actix routing, payload extraction, and signature verification logic can introduce security weaknesses if implementation details are inconsistent or incomplete.

A common pattern is to sign a subset of the request (for example, the JSON body or selected headers) using a shared secret. If the server uses different serialization rules than the client (such as differing key ordering or whitespace handling), the computed HMAC will not match, and the request is rejected. However, improper handling of the mismatch can expose information: returning distinct errors for malformed signatures versus missing signatures allows an attacker to probe the authentication surface. In Actix, this often occurs when middleware or extractor logic does not uniformly apply verification before returning HTTP responses.

Another vulnerability vector arises from how Actix deserializes payloads before or after signature verification. If the signature is computed over the raw bytes of the body, but the application deserializes the body into a struct first (for example using web::Json<T>), the resulting bytes may differ due to serde normalization. This leads to valid client signatures being rejected, which may be logged with sensitive detail or bypassed inadvertently in debug builds. Additionally, if the application exposes versioned endpoints and does not enforce signature verification consistently across all versions, older routes may remain unauthenticated, enabling BOLA/IDOR-like access through predictable resource identifiers.

The framework’s routing can also contribute to risk. Actix permits nested scopes and guards; if signature verification is applied at a parent scope but not enforced on specific child handlers, unauthenticated paths may exist. This misconfiguration is especially dangerous when combined with permissive CORS settings or when health check endpoints are inadvertently included in protected scopes, leading to unauthenticated LLM/AI Security exposure if those endpoints handle model-related metadata or keys.

Operational practices amplify these issues. Without continuous monitoring, deployments may introduce subtle changes in signing logic (such as updating the secret or algorithm) that break verification for existing clients. In a microservice environment where multiple services share the same secret, rotation becomes complex and increases the likelihood of weak key material or accidental disclosure. middleBrick can detect inconsistencies between declared authentication mechanisms and runtime behavior across Actix endpoints, highlighting missing verification paths and serialization mismatches.

Remediation centers on consistent verification, canonical representations, and strict separation of authenticated and unauthenticated routes. Below are concrete, idiomatic examples using the hmac and sha2 crates with Actix-web 4.x.

1. Canonical request signing and verification

Ensure both client and server use the same serialization and signing scope. Sign the raw request body for JSON APIs, and normalize headers before computing the HMAC.

use actix_web::{web, HttpRequest, HttpResponse, Error};
use hmac::{Hmac, Mac};
use sha2::Sha256;
use hex;

type HmacSha256 = Hmac<Sha256>;

/// Verify HMAC signature in a custom header `X-API-Signature`
async fn verify_hmac(req: HttpRequest, body: web::Bytes) -> Result<(), Error> {
    let signature_header = req.headers().get("X-API-Signature")
        .ok_or_else(|| actix_web::error::ErrorUnauthorized("Missing signature"))?;
    let signature = signature_header.to_str().map_err(|_| actix_web::error::ErrorBadRequest("Invalid signature header"))?;

    let secret = std::env::var("API_SECRET").expect("API_SECRET must be set");
    let mut mac = HmacSha256::new_from_slice(secret.as_bytes())
        .map_err(|_| actix_web::error::ErrorInternalServerError("HMAC init failed"))?;
    mac.update(&body);
    let computed = mac.finalize().into_bytes();
    let computed_hex = hex::encode(computed);

    // Use constant-time comparison
    if subtle::ConstantTimeEq::ct_eq(computed.as_ref(), signature.as_ref()).into() {
        Ok(())
    } else {
        Err(actix_web::error::ErrorUnauthorized("Invalid signature"))
    }
}

/// A wrapper extractor that verifies HMAC before deserialization
pub struct VerifiedJson<T>(pub T);

impl<T> actix_web::FromRequest for VerifiedJson<T>
where
    T: serde::de::DeserializeOwned,
{
    type Error = Error;
    type Future = actix_web::dev::LocalBoxFuture<'static, Result<Self, Self::Error>>;
    type Config = ();

    fn from_request(req: &actix_web::HttpRequest, payload: &mut actix_web::dev::Payload) -> Self::Future {
        let body = match payload.try_next() {
            Ok(Some(b)) => b,
            Ok(None) => return Err(actix_web::error::ErrorBadRequest("Empty body")),
            Err(e) => return Err(e),
        };
        // Verify signature first
        if let Err(e) = verify_hmac(req.clone(), body.clone()).await {
            return Box::pin(async { Err(e) });
        }
        // Deserialize only after verification
        let bytes = actix_web::web::Bytes::from(body.to_vec());
        let fut = async move {
            let json = serde_json::from_slice(&bytes).map_err(|_| actix_web::error::ErrorBadRequest("Invalid JSON"))?;
            Ok(VerifiedJson(json))
        };
        Box::pin(fut)
    }
}

/// Usage in a handler
async fn create_order(order: VerifiedJson<Order>) -> HttpResponse {
    HttpResponse::Ok().json(&order.0)
}

2. Enforce verification across all versions and scopes

Apply a consistent guard at the service or scope level to avoid missing routes. Use a custom middleware or a service configuration that requires HMAC for all authenticated paths.

use actix_web::middleware::Next;
use actix_web::dev::ServiceRequest;
use actix_web::Error;

pub struct HmacAuth;

impl actix_web::dev::Transform<S, actix_web::dev::ServiceRequest> for HmacAuth
where
    S: actix_web::dev::Service<ServiceRequest, Response = actix_web::dev::ServiceResponse, Error = Error>,
    S::Future: 'static,
{
    type Response = actix_web::dev::ServiceResponse;
    type Error = Error;
    type InitError = ();
    type Transform = HmacAuthMiddleware<S>;
    type Future = std::future::Ready<Result<Self::Transform, Self::InitError>>;

    fn new_transform(&self, service: S) = > std::future::ready(Ok(HmacAuthMiddleware { service })) {
        std::future::ready(Ok(HmacAuthMiddleware { service }))
    }
}

pub struct HmacAuthMiddleware<S> {
    service: S,
}

impl<S> actix_web::dev::Service<ServiceRequest> for HmacAuthMiddleware<S>
where
    S: actix_web::dev::Service<ServiceRequest, Response = actix_web::dev::ServiceResponse, Error = Error>,
    S::Future: 'static,
{
    type Response = actix_web::dev::ServiceResponse;
    type Error = Error;
    type Future = S::Future;

    fn poll_ready(&mut self, cx: &mut std::task::Context<'_>) -> std::task::Poll<Result<(), Self::Error>> {
        self.service.poll_ready(cx)
    }

    fn call(&mut self, req: ServiceRequest) -> Self::Future {
        // Skip verification for public endpoints like health checks if needed
        // if req.path() == "/health" { return self.service.call(req); }
        let payload = req.to_http_request().take_payload();
        let req_clone = req.clone();
        let fut = async move {
            // Reuse verification logic; ensure body is available
            let body = match payload.try_next() {
                Ok(Some(b)) => b.to_vec(),
                _ => return Err(actix_web::error::ErrorBadRequest("Missing body")),
            };
            verify_hmac(req_clone, body.into()).await?;
            self.service.call(req)
        };
        Box::pin(fut)
    }
}

/// Apply the guard at the service level
// In main or app configuration:
// .wrap(HmacAuth)
// .service(web::resource("/v1/orders").route(web::post().to(create_order)))