CDviz

Appearance

Header Authentication

Header authentication is used by components that send outgoing messages to authenticate with external services. This includes SSE sources that connect to HTTP event streams, HTTP sinks that post events to external endpoints, and Kafka sinks that generate authentication headers for Kafka messages.

Components Using Header Authentication

ComponentPurpose
Source SSEAuthenticate with SSE event stream endpoints
Sink HTTPAuthenticate when posting events to external HTTP endpoints
Sink KafkaGenerate authentication headers for Kafka message consumers

Authentication Process

When making an outgoing request, configured headers are added to authenticate with the target service:

  1. Headers are computed based on configuration (static values, environment variables, etc.)
  2. Headers are added to the outgoing HTTP request
  3. Target service validates the provided authentication

Header Rule Types

Static Values

Use fixed string values for headers:

toml
[sources.events.extractor.headers]
"User-Agent" = { type = "static", value = "cdviz-collector/1.0" }

Environment Secrets

Retrieve values from environment variables (recommended for sensitive data):

toml
[sources.events.extractor.headers]
"X-API-Key" = { type = "secret", value = "API_KEY_ENV_VAR" }

Environment Variable Override Patterns

The configuration format affects how environment variables can override header settings:

bash
# Can be overridden:
export CDVIZ_COLLECTOR__SOURCES__MYAPI__EXTRACTOR__HEADERS__X_API_KEY__TYPE="secret"
export CDVIZ_COLLECTOR__SOURCES__MYAPI__EXTRACTOR__HEADERS__X_API_KEY__VALUE="NEW_API_KEY_VAR"

HMAC Signature Generation

Generate cryptographic signatures for request authentication:

toml
[sources.events.extractor.headers]
"X-Signature" = { type = "signature", token = "webhook-secret", signature_prefix = "sha256=", signature_on = "body", signature_encoding = "hex" }

Signature Parameters

  • token (string): Secret key for HMAC computation
  • signature_prefix (string, optional): Prefix added to signature (e.g., "sha256=")
  • signature_on (string): What to sign - "body" or "headers_then_body"
  • signature_encoding (string): Encoding format - "hex" or "base64"
  • token_encoding (string, optional): How to decode the token - "hex", "base64", or unset

Common Authentication Patterns

API Key Authentication

toml
# SSE source with API key
[sources.api_events.extractor]
type = "sse"
url = "https://api.example.com/events"

[sources.api_events.extractor.headers]
"X-API-Key" = { type = "secret", value = "MY_API_KEY" }

Bearer Token Authentication

toml
# SSE source with Bearer token
[sources.secure_events.extractor]
type = "sse"
url = "https://secure-api.example.com/stream"

[sources.secure_events.extractor.headers]
"Authorization" = { type = "secret", value = "Bearer your-token-here" }

Custom Headers with Multiple Values

toml
# Multiple authentication headers
[sources.enterprise_sse.extractor]
type = "sse"
url = "https://enterprise.example.com/events"

[sources.enterprise_sse.extractor.headers]
"X-Client-ID" = { type = "secret", value = "CLIENT_ID" }
"X-Client-Secret" = { type = "secret", value = "CLIENT_SECRET" }
"Accept" = { type = "static", value = "text/event-stream" }

Signature-Based Authentication

toml
# Webhook sink with HMAC signature
[sinks.signed_webhook.configuration]
url = "https://partner.example.com/events"

[sinks.signed_webhook.configuration.headers]
"X-Webhook-Signature" = { type = "signature", token = "PARTNER_WEBHOOK_SECRET", signature_prefix = "sha256=", signature_on = "body", signature_encoding = "hex" }

Multi-Header Authentication

Configure multiple headers for comprehensive authentication:

toml
[sources.multi_auth.extractor]
type = "sse"
url = "https://api.example.com/events"

[sources.multi_auth.extractor.headers]
"Authorization" = { type = "secret", value = "BEARER_TOKEN" }
"X-API-Key" = { type = "secret", value = "API_KEY" }
"User-Agent" = { type = "static", value = "cdviz-collector/1.0" }

Authentication by Service Type

GitHub API Authentication

toml
[sources.github_events.extractor]
type = "sse"
url = "https://api.github.com/events"

[sources.github_events.extractor.headers]
"Authorization" = { type = "secret", value = "GITHUB_TOKEN" }
"Accept" = { type = "static", value = "application/vnd.github.v3+json" }

Slack Webhook Authentication

toml
[sinks.slack_webhook.configuration]
url = "https://hooks.slack.com/services/T00/B00/XXX"

[sinks.slack_webhook.configuration.headers]
"Content-Type" = { type = "static", value = "application/json" }

# Slack webhooks typically don't need additional auth headers
# Authentication is embedded in the webhook URL

Custom Service with Multiple Auth Methods

toml
[sources.custom_service.extractor]
type = "sse"
url = "https://custom.example.com/events"

# Basic auth converted to header
[sources.custom_service.extractor.headers]
"Authorization" = { type = "secret", value = "BASIC_AUTH_HEADER" }

# API key
[sources.custom_service.extractor.headers]
"X-API-Key" = { type = "secret", value = "CUSTOM_API_KEY" }

# Request signing
[sources.custom_service.extractor.headers]
"X-Request-Signature" = { type = "signature", token = "CUSTOM_SIGNING_SECRET", signature_prefix = "sig=", signature_on = "body", signature_encoding = "hex" }

Security Best Practices

Least Privilege Tokens

Use tokens with minimal required permissions:

toml
# Use read-only tokens when possible
[sources.monitoring.extractor.headers]
"Authorization" = { type = "secret", value = "READONLY_MONITOR_TOKEN" }

HTTPS Only

Always use HTTPS for external requests:

toml
[sources.secure_events.extractor]
type = "sse"
url = "https://secure-api.company.com/events"  # HTTPS required

[sources.secure_events.extractor.headers]
"Authorization" = { type = "secret", value = "SECURE_API_TOKEN" }

Connection Security

Configure additional security options:

toml
[sources.secure_connection.extractor]
type = "sse"
url = "https://api.example.com/events"
# Additional SSL/TLS configuration would go here if supported
timeout = "30s"
max_retries = 5

[sources.secure_connection.extractor.headers]
"Authorization" = { type = "secret", value = "API_TOKEN" }

Testing Header Authentication

Test SSE Connection

bash
# Test SSE connection with authentication headers
curl -N -H "Accept: text/event-stream" \
  -H "Authorization: Bearer your-token" \
  -H "X-API-Key: your-api-key" \
  https://events.example.com/stream

Test Webhook Posting

bash
# Test webhook posting with authentication
curl -X POST https://external-service.com/webhook \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer your-token" \
  -H "X-API-Key: your-api-key" \
  -d '{"test": "event data"}'

Verify Authentication

bash
# Check if authentication headers are working
curl -v -N -H "Accept: text/event-stream" \
  -H "Authorization: Bearer your-token" \
  https://events.example.com/stream 2>&1 | grep -i "< HTTP"

Debug Authentication Issues

Enable debug logging to see outgoing headers:

bash
RUST_LOG=cdviz_collector::sources::sse=debug,cdviz_collector::sinks::webhook=debug \
  cdviz-collector connect --config config.toml

Common Authentication Errors

401 Unauthorized

  • Missing or invalid authentication headers
  • Expired tokens
  • Incorrect token format
bash
# Check token format and expiration
curl -H "Authorization: Bearer $TOKEN" https://api.example.com/verify

403 Forbidden

  • Valid authentication but insufficient permissions
  • API key lacks required scopes
  • Rate limiting
bash
# Verify token permissions
curl -H "Authorization: Bearer $TOKEN" https://api.example.com/permissions

Connection Failures

  • Network connectivity issues
  • Invalid URLs
  • SSL/TLS certificate problems
bash
# Test basic connectivity
curl -v https://api.example.com/events