Support signature validation in Dev mode

inngest/_internal/net.py

@@ -289,16 +289,16 @@ def _validate_request(
     mode: server_lib.ServerKind,
     signing_key: typing.Optional[str],
 ) -> types.MaybeError[typing.Optional[str]]:
-    if mode == server_lib.ServerKind.DEV_SERVER:
-        return None
-
     timestamp = None
     signature = None
     sig_header = headers.get(server_lib.HeaderKey.SIGNATURE.value)
     if sig_header is None:
-        return errors.HeaderMissingError(
-            f"cannot validate signature in production mode without a {server_lib.HeaderKey.SIGNATURE.value} header"
-        )
+        if mode == server_lib.ServerKind.DEV_SERVER:
+            return None
+        else:
+            return errors.HeaderMissingError(
+                f"cannot validate signature without a {server_lib.HeaderKey.SIGNATURE.value} header"
+            )
     else:
         parsed = urllib.parse.parse_qs(sig_header)
         if "t" in parsed:
@@ -308,7 +308,7 @@ def _validate_request(
 
     if signing_key is None:
         return errors.SigningKeyMissingError(
-            "cannot validate signature in production mode without a signing key"
+            "cannot validate signature without a signing key"
         )
 
     if signature is None:

inngest/_internal/net_test.py

@@ -108,35 +108,94 @@ def test_success(self) -> None:
             server_lib.HeaderKey.SIGNATURE.value: f"s={sig}&t={unix_ms}",
         }
 
-        assert not isinstance(
+        for mode in (
+            server_lib.ServerKind.CLOUD,
+            server_lib.ServerKind.DEV_SERVER,
+        ):
+            assert not isinstance(
+                net.validate_request(
+                    body=body,
+                    headers=headers,
+                    mode=mode,
+                    signing_key=_signing_key,
+                    signing_key_fallback=None,
+                ),
+                Exception,
+            )
+
+    def test_escape_sequences(self) -> None:
+        unix_ms = round(time.time() * 1000)
+        sig = _sign(b'{"msg":"a & b"}', _signing_key, unix_ms)
+        assert not isinstance(sig, Exception)
+        headers = {
+            server_lib.HeaderKey.SIGNATURE.value: f"s={sig}&t={unix_ms}",
+        }
+
+        for mode in (
+            server_lib.ServerKind.CLOUD,
+            server_lib.ServerKind.DEV_SERVER,
+        ):
+            assert not isinstance(
+                net.validate_request(
+                    body=b'{"msg":"a \\u0026 b"}',
+                    headers=headers,
+                    mode=mode,
+                    signing_key=_signing_key,
+                    signing_key_fallback=None,
+                ),
+                Exception,
+            )
+
+    def test_missing_header(self) -> None:
+        body = json.dumps({"msg": "hi"}).encode("utf-8")
+
+        err = net.validate_request(
+            body=body,
+            headers={},
+            mode=server_lib.ServerKind.CLOUD,
+            signing_key=_signing_key,
+            signing_key_fallback=None,
+        )
+        assert isinstance(err, errors.HeaderMissingError)
+        assert (
+            str(err)
+            == "cannot validate signature without a X-Inngest-Signature header"
+        )
+
+        # Dev mode doesn't require a signature header
+        assert (
             net.validate_request(
                 body=body,
-                headers=headers,
-                mode=server_lib.ServerKind.CLOUD,
+                headers={},
+                mode=server_lib.ServerKind.DEV_SERVER,
                 signing_key=_signing_key,
                 signing_key_fallback=None,
-            ),
-            Exception,
+            )
+            is None
         )
 
-    def test_escape_sequences(self) -> None:
+    def test_missing_signing_key(self) -> None:
+        body = json.dumps({"msg": "hi"}).encode("utf-8")
         unix_ms = round(time.time() * 1000)
-        sig = _sign(b'{"msg":"a & b"}', _signing_key, unix_ms)
+        sig = _sign(body, _signing_key, unix_ms)
         assert not isinstance(sig, Exception)
         headers = {
             server_lib.HeaderKey.SIGNATURE.value: f"s={sig}&t={unix_ms}",
         }
 
-        assert not isinstance(
-            net.validate_request(
-                body=b'{"msg":"a \\u0026 b"}',
+        for mode in (
+            server_lib.ServerKind.CLOUD,
+            server_lib.ServerKind.DEV_SERVER,
+        ):
+            err = net.validate_request(
+                body=body,
                 headers=headers,
-                mode=server_lib.ServerKind.CLOUD,
-                signing_key=_signing_key,
+                mode=mode,
+                signing_key=None,
                 signing_key_fallback=None,
-            ),
-            Exception,
-        )
+            )
+            assert isinstance(err, errors.SigningKeyMissingError)
+            assert str(err) == "cannot validate signature without a signing key"
 
     def test_body_tamper(self) -> None:
         """
@@ -153,14 +212,18 @@ def test_body_tamper(self) -> None:
 
         body = json.dumps({"msg": "you've been hacked"}).encode("utf-8")
 
-        validation = net.validate_request(
-            body=body,
-            headers=headers,
-            mode=server_lib.ServerKind.CLOUD,
-            signing_key=_signing_key,
-            signing_key_fallback=None,
-        )
-        assert isinstance(validation, errors.SigVerificationFailedError)
+        for mode in (
+            server_lib.ServerKind.CLOUD,
+            server_lib.ServerKind.DEV_SERVER,
+        ):
+            err = net.validate_request(
+                body=body,
+                headers=headers,
+                mode=mode,
+                signing_key=_signing_key,
+                signing_key_fallback=None,
+            )
+            assert isinstance(err, errors.SigVerificationFailedError)
 
     def test_rotation(self) -> None:
         """
@@ -176,16 +239,18 @@ def test_rotation(self) -> None:
             server_lib.HeaderKey.SIGNATURE.value: f"s={sig}&t={unix_ms}",
         }
 
-        assert not isinstance(
-            net.validate_request(
+        for mode in (
+            server_lib.ServerKind.CLOUD,
+            server_lib.ServerKind.DEV_SERVER,
+        ):
+            key = net.validate_request(
                 body=body,
                 headers=headers,
-                mode=server_lib.ServerKind.CLOUD,
+                mode=mode,
                 signing_key=_signing_key,
                 signing_key_fallback=_signing_key_fallback,
-            ),
-            Exception,
-        )
+            )
+            assert key == _signing_key_fallback
 
     def test_fails_for_both_signing_keys(self) -> None:
         """
@@ -199,17 +264,20 @@ def test_fails_for_both_signing_keys(self) -> None:
         headers = {
             server_lib.HeaderKey.SIGNATURE.value: f"s={sig}&t={unix_ms}",
         }
-
-        assert isinstance(
-            net.validate_request(
-                body=body,
-                headers=headers,
-                mode=server_lib.ServerKind.CLOUD,
-                signing_key=_signing_key,
-                signing_key_fallback=_signing_key_fallback,
-            ),
-            Exception,
-        )
+        for mode in (
+            server_lib.ServerKind.CLOUD,
+            server_lib.ServerKind.DEV_SERVER,
+        ):
+            assert isinstance(
+                net.validate_request(
+                    body=body,
+                    headers=headers,
+                    mode=mode,
+                    signing_key=_signing_key,
+                    signing_key_fallback=_signing_key_fallback,
+                ),
+                errors.SigVerificationFailedError,
+            )
 
 
 class Test_fetch_with_auth_fallback(unittest.IsolatedAsyncioTestCase):

tests/test_function/cases/batch_that_needs_api.py

@@ -72,7 +72,7 @@ async def run_test(self: base.TestClass) -> None:
             )
         self.client.send_sync(events)
 
-        run_id = state.wait_for_run_id()
+        run_id = state.wait_for_run_id(timeout=datetime.timedelta(seconds=10))
         tests.helper.client.wait_for_run_status(
             run_id,
             tests.helper.RunStatus.COMPLETED,