SNS ValidateMessage helper

[adamdavis40208]

The PHP SDK has a class for validating SNS messages received: https://docs.aws.amazon.com/aws-sdk-php/v3/api/namespace-Aws.Sns.html

Would you all want this on the python side of things? I'm rolling my own currently for a python project

[stealthycoin]

I don't know if this is something we would be interested in offhand. I would have to look at the PHP one. Feel free to make a pull request where we can discuss it while looking at the code.

[adamdavis40208]

Actually, I dug into it this weekend and found that between versions of the PHP SDK they actually split it out into a different repo:

https://github.com/aws/aws-php-sns-message-validator

I also found two python validators already in the community:

https://github.com/nathforge/validatesns
https://github.com/zircote/bona-fides

And I'm not sure we need a third.

[joguSD]

Glad you found something that might work for you. Closing this out.

[wollerman]

Actually I'm wondering why this functionality isn't desired to be builtin to boto? The SNS documentation for HTTP signature verification suggests When possible, use one of the supported AWS SDKs for Amazon SNS to validate and verify messages.

Googling around I found examples in the AWS SDKs for PHP, Java, and Ruby. I'm just curious why not Python?

[ahubers]

This confuses me as well -- if this is the official SDK isn't the intent to maintain feature parity?

[fxfitz]

I also agree; this should be available in boto3.

[wcoleman]

I agree as well. This should be built in to boto3

[wlwg]

I have this need too. I just put together a repo if anyone else needs it.
https://github.com/wlwg/sns-message-validator

[hzlmn]

Are there any chances it will be in official version or at least as a separate package as for other languages ? https://github.com/aws?utf8=%E2%9C%93&q=message+validator&type=&language= 🙏

[thenewguy]

@joguSD @stealthycoin please re-open this issue - it is recommended by the amazon docs. this is an important feature

From https://docs.aws.amazon.com/sns/latest/dg/sns-verify-signature-of-message.html

You should verify the authenticity of a notification, subscription confirmation, or unsubscribe confirmation message sent by Amazon SNS.

What is the reason behind not implementing this best practice?

[rish-shadra]

+1 here, this seems like a fairly essential piece of logic to include in the library. It doesn't help that the official documentation for how to validate an SNS message has a fairly large hole in it, since it doesn't validate that the cert passed in actually came from amazon as defined in this official doc. I haven't taken too much of a deep dive into the implementation, but this is the best validator I've been able to find so far.

[hiven]

This is so confusing why wouldn't boto include this feature?