Refactor HMAC function and update SQL examples for clarity and consistency

- Changed function parameters to remove Option types for data and key in the HMAC function.
- Improved SQL documentation and examples for HMAC usage, including clearer descriptions and updated error handling.
- Enhanced test cases for webhook HMAC validation to ensure accurate signature checks and responses.
- Removed obsolete test file for HMAC with null values.

Author: lovasoa

examples/official-site/sqlpage/migrations/67_hmac_function.sql

@@ -1,23 +1,25 @@
 -- HMAC function documentation and examples
-
-INSERT INTO sqlpage_functions (
+INSERT INTO
+    sqlpage_functions (
         "name",
         "introduced_in_version",
         "icon",
         "description_md"
     )
-VALUES (
+VALUES
+    (
         'hmac',
         '0.38.0',
         'shield-lock',
-        'Creates a unique "signature" for your data using a secret key. This signature proves that the data hasn''t been tampered with and comes from someone who knows the secret.
-
-Think of it like a wax seal on a letter - only someone with the right seal (your secret key) can create it, and if someone changes the letter, the seal won''t match anymore.
+        'Creates a unique "signature" for some data using a secret key.
+This signature proves that the data hasn''t been tampered with and comes from someone who knows the secret.
 
 ### What is HMAC used for?
 
-**HMAC** (Hash-based Message Authentication Code) is commonly used to:
- - **Verify webhooks**: Check that notifications from services like Shopify, Stripe, or GitHub are genuine
+[**HMAC**](https://en.wikipedia.org/wiki/HMAC) (Hash-based Message Authentication Code) is commonly used to:
+ - **Verify webhooks**: Use HMAC to ensure only a given external service can call a given endpoint in your application.
+The service signs their request with a secret key, and you verify the signature before processing the data they sent you.
+Used for instance by [Stripe](https://docs.stripe.com/webhooks?verify=verify-manually), and [Shopify](https://shopify.dev/docs/apps/build/webhooks/subscribe/https#step-2-validate-the-origin-of-your-webhook-to-ensure-its-coming-from-shopify).
  - **Secure API requests**: Prove that an API request comes from an authorized source
  - **Generate secure tokens**: Create temporary access codes for downloads or password resets
  - **Protect data**: Ensure data hasn''t been modified during transmission
@@ -35,98 +37,98 @@ The `sqlpage.hmac` function takes three inputs:
 
 It returns a signature string. If someone changes even one letter in your data, the signature will be completely different.
 
-### Example 1: Verify Shopify Webhooks
+### Example: Verify a Webhooks signature
 
-When Shopify sends you a webhook (like when someone places an order), it includes a signature. Here''s how to verify it''s really from Shopify:
+When Shopify sends you a webhook (like when someone places an order), it includes a signature. Here''s how to verify it''s really from Shopify.
+This supposes you store the secret key in an [environment variable](https://en.wikipedia.org/wiki/Environment_variable) named `WEBHOOK_SECRET`.
 
 ```sql
--- Shopify includes the signature in the X-Shopify-Hmac-SHA256 header
--- and sends the webhook data in the request body
-
--- First, verify the signature - redirect to error page if invalid
-SELECT ''redirect'' as component,
-  ''/error.sql?message='' || sqlpage.url_encode(''Invalid webhook signature'') as link
-WHERE sqlpage.hmac(
-        sqlpage.request_body(),
-        sqlpage.environment_variable(''SHOPIFY_WEBHOOK_SECRET''),
-        ''sha256-base64''
-      ) != sqlpage.header(''X-Shopify-Hmac-SHA256'');
-
--- If we reach here, the signature is valid - process the order:
-INSERT INTO orders (order_data, received_at)
-VALUES (sqlpage.request_body(), datetime(''now''));
-
-SELECT ''text'' as component,
-  ''✅ Webhook verified and processed successfully!'' as contents;
+SET body = sqlpage.request_body();
+SET secret = sqlpage.environment_variable(''WEBHOOK_SECRET'');
+SET expected_signature = sqlpage.hmac($body, $secret, ''sha256'');
+SET actual_signature =  sqlpage.header(''X-Webhook-Signature'');
+
+-- redirect to an error page and stop execution if the signature does not match
+SELECT
+    ''redirect'' as component,
+    ''/error.sql?err=bad_webhook_signature'' as link
+WHERE $actual_signature IS DISTINCT FROM $expected_signature;
+
+-- If we reach here, the signature is valid - process the order
+INSERT INTO orders (order_data) VALUES ($body);
+
+SELECT ''json'' as component, ''jsonlines'' as type;
+SELECT ''success'' as status;
 ```
 
-### Example 2: Create Secure Download Links
+### Example: Time-limited links
 
-Generate a token that expires after 1 hour:
+You can create links that will be valid only for a limited time by including a signature in them.
+Let''s say we have a `download.sql` page we want to link to,
+but we don''t want it to be accessible to anyone who can find the link.
+Sign `file_id|expires_at` with a secret. Accept only if not expired and the signature matches.
+
+#### Generate a signed link
 
 ```sql
--- Create a download token
-INSERT INTO download_tokens (file_id, token, expires_at)
-VALUES (
-    :file_id,
-    sqlpage.hmac(
-        :file_id || ''|'' || datetime(''now'', ''+1 hour''),
-        sqlpage.environment_variable(''DOWNLOAD_SECRET''),
-        ''sha256''
-    ),
-    datetime(''now'', ''+1 hour'')
+SET expires_at = datetime(''now'', ''+1 hour'');
+SET token = sqlpage.hmac(
+    $file_id || ''|'' || $expires_at,
+    sqlpage.environment_variable(''DOWNLOAD_SECRET''),
+    ''sha256''
 );
+SELECT ''/download.sql?file_id='' || $file_id || ''&expires_at='' || $expires_at || ''&token='' || $token AS link;
 ```
 
-### Example 3: Sign API Requests
-
-Prove your API request is authentic:
+#### Verify the signed link
 
 ```sql
--- Create a signature for your API call
-SELECT sqlpage.hmac(
-    ''user_id=123&action=update&timestamp='' || strftime(''%s'', ''now''),
-    ''my-secret-api-key'',
+SET expected = sqlpage.hmac(
+    $file_id || ''|'' || $expires_at,
+    sqlpage.environment_variable(''DOWNLOAD_SECRET''),
     ''sha256''
-) as api_signature;
+);
+SELECT ''redirect'' AS component, ''/error.sql?err=expired'' AS link
+WHERE $expected IS DISTINCT FROM $token OR $expires_at < datetime(''now'');
+
+-- serve the file
 ```
 
-### Important Security Tips
+### Important Security Notes
 
- - **Keep your secret key safe**: Store it in environment variables using `sqlpage.environment_variable()`, never hardcode it in your SQL files
- - **Use strong keys**: Your secret should be long and random (at least 32 characters)
- - **The signature is case-sensitive**: Even one wrong letter means the signature won''t match
- - **Algorithms**: Use `sha256` for most cases (it''s the default), or `sha512` for extra security
- - **Output formats**: Use `hex` (default) for most cases, or `base64` when the service expects base64 (like Shopify)
- - **NULL handling**: If your data or key is NULL, the function returns NULL
+ - **Keep your secret key safe**: If your secret leaks, anyone can forge signatures and access protected pages
+ - **The signature is case-sensitive**: Even a single wrong letter means the signature won''t match
+ - **NULL handling**: Always use `IS DISTINCT FROM`, not `=` to check for hmac matches. In SQL `SELECT ''redirect'' as component WHERE sqlpage.hmac(...) != $signature` will not redirect if `$signature` is NULL (the signature is absent). Use `SELECT ''redirect'' as component WHERE sqlpage.hmac(...) IS DISTINCT FROM $signature` instead.
 '
     );
 
-INSERT INTO sqlpage_function_parameters (
+INSERT INTO
+    sqlpage_function_parameters (
         "function",
         "index",
         "name",
         "description_md",
         "type"
     )
-VALUES (
+VALUES
+    (
         'hmac',
         1,
         'data',
-        'The input data to compute the HMAC for. Can be any text string.',
+        'The input data to compute the HMAC for. Can be any text string. Cannot be NULL.',
         'TEXT'
     ),
     (
         'hmac',
         2,
         'key',
-        'The secret key used to compute the HMAC. Should be kept confidential.',
+        'The secret key used to compute the HMAC. Should be kept confidential. Cannot be NULL.',
         'TEXT'
     ),
     (
         'hmac',
         3,
         'algorithm',
-        'The hash algorithm and output format. Optional, defaults to `sha256` (hex output). Supported values: `sha256`, `sha256-base64`, `sha512`, `sha512-base64`.',
+        'The hash algorithm and output format. Optional, defaults to `sha256` (hex output). Supported values: `sha256`, `sha256-base64`, `sha512`, `sha512-base64`. Defaults to `sha256`.',
         'TEXT'
     );

src/webserver/database/sqlpage_functions/functions.rs

@@ -32,7 +32,7 @@ super::function_definition_macro::sqlpage_functions! {
     hash_password(password: Option<String>);
     header((&RequestInfo), name: Cow<str>);
     headers((&RequestInfo));
-    hmac(data: Option<Cow<str>>, key: Option<Cow<str>>, algorithm: Option<Cow<str>>);
+    hmac(data: Cow<str>, key: Cow<str>, algorithm: Option<Cow<str>>);
 
     user_info_token((&RequestInfo));
     link(file: Cow<str>, parameters: Option<Cow<str>>, hash: Option<Cow<str>>);
@@ -742,20 +742,13 @@ async fn headers(request: &RequestInfo) -> String {
 /// Computes the HMAC (Hash-based Message Authentication Code) of the input data
 /// using the specified key and hashing algorithm.
 async fn hmac<'a>(
-    data: Option<Cow<'a, str>>,
-    key: Option<Cow<'a, str>>,
+    data: Cow<'a, str>,
+    key: Cow<'a, str>,
     algorithm: Option<Cow<'a, str>>,
 ) -> anyhow::Result<Option<String>> {
     use hmac::{Hmac, Mac};
     use sha2::{Sha256, Sha512};
 
-    let Some(data) = data else {
-        return Ok(None);
-    };
-    let Some(key) = key else {
-        return Ok(None);
-    };
-
     let algorithm = algorithm.as_deref().unwrap_or("sha256");
 
     // Parse algorithm and output format (e.g., "sha256" or "sha256-base64")
@@ -810,8 +803,8 @@ async fn client_ip(request: &RequestInfo) -> Option<String> {
 async fn test_hmac() {
     // Test vector from RFC 4231 - HMAC-SHA256
     let result = hmac(
-        Some(Cow::Borrowed("The quick brown fox jumps over the lazy dog")),
-        Some(Cow::Borrowed("key")),
+        Cow::Borrowed("The quick brown fox jumps over the lazy dog"),
+        Cow::Borrowed("key"),
         Some(Cow::Borrowed("sha256")),
     )
     .await

tests/requests/webhook_hmac.rs

@@ -9,7 +9,7 @@ async fn test_webhook_hmac_invalid_signature() -> actix_web::Result<()> {
     std::env::set_var("WEBHOOK_SECRET", "test-secret-key");
 
     let webhook_body = r#"{"order_id":12345,"total":"99.99"}"#;
-    let invalid_signature = "invalid_signature_base64==";
+    let invalid_signature = "96a5f6f65c85a2d4d1f3a37813ab2c0b44041bdc17691fbb0884e3eb52b7c54b";
 
     let req = get_request_to("/tests/webhook_hmac_validation.sql")
         .await?
@@ -30,20 +30,10 @@ async fn test_webhook_hmac_invalid_signature() -> actix_web::Result<()> {
     let location = resp
         .headers()
         .get("location")
-        .expect("Should have Location header");
-    let location_str = location.to_str().unwrap();
-    assert!(
-        location_str.contains("/error.sql"),
-        "Should redirect to error page, got: {}",
-        location_str
-    );
-    assert!(
-        location_str.contains("Invalid+webhook+signature")
-            || location_str.contains("Invalid%20webhook%20signature"),
-        "Error message should mention invalid signature, got: {}",
-        location_str
-    );
-
+        .expect("Should have Location header")
+        .to_str()
+        .unwrap();
+    assert_eq!(location, "/error.sql?err=bad_webhook_signature");
     Ok(())
 }
 
@@ -53,52 +43,25 @@ async fn test_webhook_hmac_valid_signature() -> actix_web::Result<()> {
     std::env::set_var("WEBHOOK_SECRET", "test-secret-key");
 
     let webhook_body = r#"{"order_id":12345,"total":"99.99"}"#;
-
-    // Calculate the correct HMAC signature using the same algorithm
-    use hmac::{Hmac, Mac};
-    use sha2::Sha256;
-    let mut mac = Hmac::<Sha256>::new_from_slice(b"test-secret-key").unwrap();
-    mac.update(webhook_body.as_bytes());
-    let result = mac.finalize();
-    let valid_signature =
-        base64::Engine::encode(&base64::engine::general_purpose::STANDARD, result.into_bytes());
+    let valid_signature = "260b3b5ead84843645588af82d5d2c3fe24c598a950d36c45438c3a5f5bb941c";
 
     let req = get_request_to("/tests/webhook_hmac_validation.sql")
         .await?
         .insert_header(("content-type", "application/json"))
-        .insert_header(("X-Webhook-Signature", valid_signature.as_str()))
+        .insert_header(("X-Webhook-Signature", valid_signature))
         .set_payload(webhook_body)
         .to_srv_request();
 
     let resp = main_handler(req).await?;
 
     // Should return success when signature is valid
-    assert_eq!(
-        resp.status(),
-        StatusCode::OK,
-        "Expected OK status for valid signature"
-    );
-
-    let body = test::read_body(resp).await;
-    let body_str = String::from_utf8(body.to_vec()).unwrap();
+    assert_eq!(resp.status(), StatusCode::OK, "200 resp for signed req");
+    assert!(!resp.headers().contains_key("location"), "no redirect");
 
-    // Should contain success message
-    assert!(
-        body_str.contains("success") || body_str.contains("Success"),
-        "Response should indicate success, got: {}",
-        body_str
-    );
-    assert!(
-        body_str.contains("Webhook signature verified"),
-        "Response should confirm signature verification, got: {}",
-        body_str
-    );
-    assert!(
-        body_str.contains("order_id"),
-        "Response should contain the webhook body, got: {}",
-        body_str
+    assert_eq!(
+        test::read_body_json::<serde_json::Value, _>(resp).await,
+        serde_json::json! ({"msg": "Webhook signature is valid !"})
     );
-
     Ok(())
 }
 
@@ -118,23 +81,13 @@ async fn test_webhook_hmac_missing_signature() -> actix_web::Result<()> {
 
     let resp = main_handler(req).await?;
 
-    // Should redirect to error page when signature is missing
-    assert!(
-        resp.status() == StatusCode::FOUND || resp.status() == StatusCode::SEE_OTHER,
-        "Expected redirect (302 or 303) when signature header is missing, got: {}",
-        resp.status()
-    );
-
     let location = resp
         .headers()
         .get("location")
-        .expect("Should have Location header");
-    let location_str = location.to_str().unwrap();
-    assert!(
-        location_str.contains("/error.sql"),
-        "Should redirect to error page, got: {}",
-        location_str
-    );
+        .expect("Should have Location header")
+        .to_str()
+        .unwrap();
+    assert_eq!(location, "/error.sql?err=bad_webhook_signature");
 
     Ok(())
 }

tests/sql_test_files/it_works_hmac_null.sql

@@ -1,24 +1,17 @@
 -- Webhook HMAC signature validation example
 -- This simulates receiving a webhook with HMAC signature in header
-
--- Redirect to error page if signature is missing
-SELECT 'redirect' as component,
-    '/error.sql?message=' || sqlpage.url_encode('Missing webhook signature') as link
-WHERE sqlpage.header('X-Webhook-Signature') IS NULL;
-
 -- Redirect to error page if signature is invalid
-SELECT 'redirect' as component,
-    '/error.sql?message=' || sqlpage.url_encode('Invalid webhook signature') as link
-WHERE sqlpage.hmac(
-    sqlpage.request_body(),
-    sqlpage.environment_variable('WEBHOOK_SECRET'),
-    'sha256-base64'
-) != sqlpage.header('X-Webhook-Signature');
+-- test this with: curl localhost:8080/tests/webhook_hmac_validation.sql -H 'X-Webhook-Signature: 260b3b5ead84843645588af82d5d2c3fe24c598a950d36c45438c3a5f5bb941c' -H 'Content-Type: application/json' --data-raw '{"order_id":12345,"total":"99.99"}' -v
+SET body = sqlpage.request_body();
+SET secret = sqlpage.environment_variable('WEBHOOK_SECRET');
+SET expected_signature = sqlpage.hmac($body, $secret, 'sha256');
+SET actual_signature =  sqlpage.header('X-Webhook-Signature');
+
+SELECT
+    'redirect' as component,
+    '/error.sql?err=bad_webhook_signature' as link
+WHERE $actual_signature IS DISTINCT FROM $expected_signature;
 
 -- If we reach here, signature is valid - return success
-SELECT 'json' as component;
-SELECT json_object(
-    'status', 'success',
-    'message', 'Webhook signature verified',
-    'body', sqlpage.request_body()
-) as contents;
+SELECT 'json' as component, 'jsonlines' as type;
+select 'Webhook signature is valid !' as msg;