qprobe is a lightweight probe authentication utility designed to distinguish secure vs. insecure networks using cryptographically signed HTTP GET requests. It features:

• HMAC-SHA256 authentication
• Timestamp-based freshness checking
• Nonce-based replay protection
• Optional LRU or Bloom filter for replay cache
• Human-friendly logging
• Simple binary or container deployment

Every probe request includes:

You can choose the replay cache strategy:

./qprobe --mode=server --replay-mode=lru

./qprobe --mode=client --username=testuser --host=http://localhost:8080

This command:

1. Generates a signed probe URL
2. Sends the request to the server
3. Prints both the probe URL and the HTTP response

Example output:

Generated Probe URL:
http://localhost:8080/check?q=...

Response from server (Status 200):
{"code":"200","message":"Valid probe from testuser"}

Decoded query might look like:

username=dGVzdHVzZXI=  # testuser  
timestamp=1748012345  
nonce=xyz7a9wq5f  
hmac=5d3ff9a....

• 200 OK: Probe accepted, signature verified
• 403 Forbidden: Rejected due to timestamp expiry, nonce reuse, or bad HMAC
• 400 Bad Request: Missing or malformed parameters

Logs:

[ACCEPTED] Valid probe (HTTP 200) — user=testuser nonce=abc123 timestamp=... hmac=...
[DENIED] Replay detected (LRU size: 84) (HTTP 403) — user=testuser nonce=abc123 ...
[DENIED] Invalid HMAC (HTTP 403) — user=foo ...

make build       # go build -o qprobe .
make run         # ./qprobe --mode=server
make test        # run unit tests
make test-cover  # print test coverage

make docker-build
make docker-run

The project includes unit tests for:

• HMAC generation + verification
• Timestamp validation
• Base64 decoding
• Replay detection (LRU and Bloom)

Run with:

make test
make test-cover

• The shared secret must be protected on the server
• Time window ensures freshness; server clocks should be synced (NTP)
• Replay cache is in-memory only — restart clears it

This project is licensed under the MIT License.