Medplum is the fasted way to build high quality, scalable and compliant healthcare applications

medplum

Hello, I am trying to use a REST subscription with signature verification based on the docs provided here: https://www.medplum.com/docs/subscriptions/subscription-extensions#signatures

I noticed that the signature doesn't match for Delete events.

It looks like the signature is generated using the resource that was deleted instead of the body that is sent (`{}`) based on https://github.com/medplum/medplum/blob/main/packages/server/src/workers/subscription.ts#L571

Is this intentional?

I would expect any of the following would allow the signatures to match on deleted resources:
- a signature based on the `{}` body
- include the deleted resource in the body instead of `{}`
- use the content of the `X-Medplum-Deleted-Resource` header instead of the body for deleted resource signatures

Hi <@1215339341258297405> , this is most likely an oversight on our part. Thank you for bringing this to our attention!

Would you mind filling out a GH issue with a bug report? Your proposal seems very reasonable

https://github.com/medplum/medplum/issues/4198