use canonical json form for signed responses

[bhearsum]

Currently, we don't have any guarantees that our JSON responses will be bit-for-bit the same for the same request. This means that any time the response format changes, we'll have to generate additional, possibly unnecessary, signatures (because we use the hashed, dumped-to-a-string, json as our cache key).

Something like https://github.com/Kinto/kinto-signer/blob/master/kinto_signer/canonicaljson.py or https://pypi.org/project/canonicaljson/.

Thanks to glasserc for the idea and pointers.

(Imported from https://bugzilla.mozilla.org/show_bug.cgi?id=1590609)

[Raven49]

Kindly assign this task to me

[bhearsum]

Hi, please feel free to work on the issue and open a PR when you feel it is ready.

[michellemounde]

Could I have more info about this issue ? @bhearsum @gabrielBusta
Could you provide the file(s) where the changes should be made?

[bhearsum]

This issue boils down to the fact that the JSON responses we return are not deterministic: it is possible that we may return exactly the same data but in a different order for different requests.

Fixing it requires ensuring the response object is built deterministically, probably by using one of the linked libraries.

[jcristau]

Reopening because the fix in #3035 had to be reverted in #3058.

Changing json.dumps to canonicaljson.encode_canonical_json changed a text string to a byte string, which when passed to make_hash returns a bogus hash, and thus causes us to end up with a bogus signature.