Secure content push to Publisher

Content can be pushed to Publisher via HTTP requests from any system. But it’s important to store and publish only requests from approved by us sources.

To verify incoming requests we use special header: x-superdesk-signature. Value of this header have format like that: sha1={token}.

token is a result of HMAC (keyed-Hash Message Authentication Code) function. It’s created from request content and secret token value with sha1 algorithm applied on it.

secret token can be defined in Organization (when created or updated). Example command:

php app/console swp:organization:update OrganizationName --secretToken secret_token

Organization secret token is not visible in any API.

If token is set in organization then Publisher will reject all requests without x-superdesk-signature header or with wrong value in it.