release: v0.4.2

Author: loookashow

docs/changelog.md

@@ -5,6 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+## [0.4.2] - 2026-03-10
+
+### Fixed
+
+- **Secure Management/Flux signing with query parameters**:
+  - `SecureKeyAuth` now signs only the URL path (without query string)
+  - aligns SDK signatures with server-side verification and Management auth docs
+  - prevents `401 authentication_failed` / `Invalid signature` on requests with query params
+
 ## [0.4.1] - 2026-03-05
 
 ### Fixed
@@ -88,6 +99,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Error handling guide
 - Code examples
 
+[Unreleased]: https://github.com/foxnose/python-sdk/compare/v0.4.2...HEAD
+[0.4.2]: https://github.com/foxnose/python-sdk/compare/v0.4.1...v0.4.2
 [0.4.1]: https://github.com/foxnose/python-sdk/compare/v0.4.0...v0.4.1
 [0.4.0]: https://github.com/foxnose/python-sdk/compare/v0.3.0...v0.4.0
 [0.3.0]: https://github.com/foxnose/python-sdk/compare/v0.2.0...v0.3.0

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "foxnose-sdk"
-version = "0.4.1"
+version = "0.4.2"
 description = "Official Python client for FoxNose Management and Flux APIs"
 readme = "README.md"
 license = {text = "Apache-2.0"}

src/foxnose_sdk/__init__.py

@@ -154,4 +154,4 @@
     "APIRef",
 ]
 
-__version__ = "0.4.1"
+__version__ = "0.4.2"

src/foxnose_sdk/auth/secure.py

@@ -51,9 +51,9 @@ def build_headers(self, request: RequestData) -> Mapping[str, str]:
         timestamp = self._clock().astimezone(dt.timezone.utc).replace(microsecond=0)
         timestamp_str = timestamp.strftime("%Y-%m-%dT%H:%M:%SZ")
         parsed = urlparse(request.url)
+        # Query parameters are excluded from the signature payload.
+        # Server-side verification signs request.path without querystring.
         path = parsed.path or "/"
-        if parsed.query:
-            path = f"{path}?{parsed.query}"
         body_hash = hashlib.sha256(body).hexdigest()
         data_to_sign = f"{path}|{body_hash}|{timestamp_str}".encode("utf-8")
         signature = self._private_key.sign(data_to_sign, ec.ECDSA(hashes.SHA256()))

tests/test_auth_strategies.py

@@ -52,7 +52,33 @@ def test_secure_auth_produces_verifiable_signature():
     signature_b64 = headers["Authorization"].split(":", 1)[1]
     signature = base64.b64decode(signature_b64)
     body_hash = hashlib.sha256(body).hexdigest()
-    expected = f"/api/test?foo=bar|{body_hash}|2024-02-20T18:00:00Z".encode("utf-8")
+    expected = f"/api/test|{body_hash}|2024-02-20T18:00:00Z".encode("utf-8")
+    public_obj.verify(signature, expected, ec.ECDSA(hashes.SHA256()))
+
+
+def test_secure_auth_ignores_query_params_in_signature():
+    public_key, private_key, public_obj = _generate_keys()
+    fixed_time = dt.datetime(2024, 2, 20, 18, 0, 0, tzinfo=dt.timezone.utc)
+    auth = SecureKeyAuth(
+        public_key=public_key, private_key=private_key, clock=lambda: fixed_time
+    )
+    body = b""
+    request = RequestData(
+        method="GET",
+        url="https://example.com/v1/env/folders/tree/item/?path=benchmark_jobs",
+        path="/v1/env/folders/tree/item/?path=benchmark_jobs",
+        body=body,
+    )
+    headers = auth.build_headers(request)
+
+    signature_b64 = headers["Authorization"].split(":", 1)[1]
+    signature = base64.b64decode(signature_b64)
+    body_hash = hashlib.sha256(body).hexdigest()
+    expected = (
+        f"/v1/env/folders/tree/item/|{body_hash}|2024-02-20T18:00:00Z".encode(
+            "utf-8"
+        )
+    )
     public_obj.verify(signature, expected, ec.ECDSA(hashes.SHA256()))