Comparing version 0.0.3 to 0.0.4
@@ -43,3 +43,3 @@ // Load modules | ||
* | ||
* hostHeader - optional header field name, used to override the default 'Host' header when used | ||
* hostHeaderName - optional header field name, used to override the default 'Host' header when used | ||
* behind a cache of a proxy. Apache2 changes the value of the 'Host' header while preserving | ||
@@ -56,9 +56,9 @@ * the original (which is what the module must verify) in the 'x-forwarded-host' header field. | ||
var hostHeader = (options.hostHeader ? req.headers[options.hostHeader.toLowerCase()] : req.headers.host); | ||
var hostHeader = (options.hostHeaderName ? req.headers[options.hostHeaderName.toLowerCase()] : req.headers.host); | ||
if (!hostHeader) { | ||
return callback(new Error('Missing Host header'), false, null, null); | ||
return callback(new Error('Missing Host header'), null, null); | ||
} | ||
if (!req.headers.authorization) { | ||
return callback(new Error('Missing Authorization header'), false, null, null); | ||
return callback(new Error('Missing Authorization header'), null, null); | ||
} | ||
@@ -73,3 +73,3 @@ | ||
if (attributes instanceof Error) { | ||
return callback(attributes, false, null, null); | ||
return callback(attributes, null, null); | ||
} | ||
@@ -83,3 +83,3 @@ | ||
return callback(new Error('Missing attributes'), false, null, attributes.ext); | ||
return callback(new Error('Missing attributes'), null, attributes.ext); | ||
} | ||
@@ -96,3 +96,3 @@ | ||
return callback(new Error('Bad Host header'), false, null, attributes.ext); | ||
return callback(new Error('Bad Host header'), null, attributes.ext); | ||
} | ||
@@ -108,7 +108,7 @@ | ||
if (err) { | ||
return callback(err, false, credentials, attributes.ext); | ||
return callback(err, credentials || null, attributes.ext); | ||
} | ||
if (!credentials) { | ||
return callback(new Error('Missing credentials'), false, null, attributes.ext); | ||
return callback(new Error('Missing credentials'), null, attributes.ext); | ||
} | ||
@@ -119,3 +119,3 @@ | ||
return callback(new Error('Invalid credentials'), false, credentials, attributes.ext); | ||
return callback(new Error('Invalid credentials'), credentials, attributes.ext); | ||
} | ||
@@ -125,3 +125,3 @@ | ||
return callback(new Error('Unknown algorithm'), false, credentials, attributes.ext); | ||
return callback(new Error('Unknown algorithm'), credentials, attributes.ext); | ||
} | ||
@@ -133,3 +133,3 @@ | ||
if (mac !== attributes.mac) { | ||
return callback(new Error('Bad mac'), false, credentials, attributes.ext); | ||
return callback(new Error('Bad mac'), credentials, attributes.ext); | ||
} | ||
@@ -139,3 +139,3 @@ | ||
return callback(null, true, credentials, attributes.ext); | ||
return callback(null, credentials, attributes.ext); | ||
}); | ||
@@ -142,0 +142,0 @@ }; |
{ | ||
"name": "hawk", | ||
"description": "HTTP Hawk Authentication Scheme", | ||
"version": "0.0.3", | ||
"version": "0.0.4", | ||
"author": "Eran Hammer <eran@hueniverse.com> (http://hueniverse.com)", | ||
@@ -6,0 +6,0 @@ "contributors": [], |
![hawk Logo](https://raw.github.com/hueniverse/hawk/master/images/hawk.png) | ||
**Hawk** is HTTP authentication scheme using a message authentication code (MAC) algorithm to provide partial | ||
<img align="right" src="https://raw.github.com/hueniverse/hawk/master/images/logo.png" /> **Hawk** is an HTTP authentication scheme using a message authentication code (MAC) algorithm to provide partial | ||
HTTP request cryptographic verification. For more complex use cases such as access delegation, see [Oz](/hueniverse/oz). | ||
@@ -10,3 +10,2 @@ | ||
# Table of Content | ||
@@ -21,4 +20,5 @@ | ||
- [**Frequently Asked Questions**](#frequently-asked-questions) | ||
<p></p> | ||
- [**Acknowledgements**](#acknowledgements) | ||
# Introduction | ||
@@ -148,3 +148,2 @@ | ||
1353832234 | ||
dh37fgj492je | ||
GET | ||
@@ -243,2 +242,7 @@ /resource/1?b=1&a=2 | ||
### Is it done? | ||
Far from it. Until this module reaches version 1.0.0 it is considered experimental and is likely to change. This also | ||
means your feedback and contribution are very welcome. Feel free to open issues with questions and suggestions. | ||
### Does **Hawk** have anything to do with OAuth? | ||
@@ -260,1 +264,31 @@ | ||
### Why isn't the algorithm part of the challenge or dynamically negotiated? | ||
The algorithm used is closely related to the key issued as different algorithms require different key sizes (and other | ||
requirements). While some keys can be used for multiple algorithm, the protocol is designed to closely bind the key and algorithm together as part of the issued credentials. | ||
### Why is Host the only header covered by the request MAC? | ||
It is really had to include other headers. Headers can be changed by proxies and other intermediaries and there is no | ||
well-established way to normalize them. The only straight-forward solution is to include the headers in some blob (say, | ||
bas64 encoded JSON) and include that with the request, an approach taken by JWT and other such formats. However, that | ||
design violates the HTTP header boundaries, repeats information, and introduces other security issues because firewalls | ||
will not be aware of these “hidden” headers. In addition, any information repeated must be compared to the duplicated | ||
information in the header and therefore only moves the problem elsewhere. | ||
### Why not just use HTTP Digest? | ||
Digest requires pre-negotiation to establish a nonce. This means you can't just make a request - you must first send | ||
a protocol handshake to the server. This pattern has become unacceptable for most web services, especially mobile | ||
where extra round-trip are costly. While Hawk includes support for sending a challenge when a request lacks | ||
authentication, it does not require it. | ||
# Acknowledgements | ||
**Hawk** is a derivative work of the [HTTP MAC Authentication Scheme](http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-05) proposal | ||
Co-authored by Ben Adida, Adam Barth, and Eran Hammer, which in turn was based on the OAuth 1.0 community specification. | ||
Special thanks to Ben Laurie for his always insightful feedback and advice. | ||
The **Hawk** logo was created by [Chris Carrasco](http://chriscarrasco.com). |
@@ -36,3 +36,3 @@ // Load modules | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, isAuthenticated, credentials, ext) { | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, ext) { | ||
@@ -62,6 +62,6 @@ should.not.exist(err); | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, isAuthenticated, credentials, ext) { | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, ext) { | ||
should.exist(err); | ||
isAuthenticated.should.equal(false); | ||
should.exist(credentials); | ||
done(); | ||
@@ -85,3 +85,3 @@ }); | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, isAuthenticated, credentials, ext) { | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, ext) { | ||
@@ -105,3 +105,3 @@ should.not.exist(err); | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, isAuthenticated, credentials, ext) { | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, ext) { | ||
@@ -125,3 +125,3 @@ should.not.exist(err); | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, isAuthenticated, credentials, ext) { | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, ext) { | ||
@@ -144,3 +144,3 @@ should.exist(err); | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, isAuthenticated, credentials, ext) { | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, ext) { | ||
@@ -163,3 +163,3 @@ should.exist(err); | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, isAuthenticated, credentials, ext) { | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, ext) { | ||
@@ -183,3 +183,3 @@ should.exist(err); | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, isAuthenticated, credentials, ext) { | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, ext) { | ||
@@ -203,3 +203,3 @@ should.exist(err); | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, isAuthenticated, credentials, ext) { | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, ext) { | ||
@@ -223,3 +223,3 @@ should.exist(err); | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, isAuthenticated, credentials, ext) { | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, ext) { | ||
@@ -243,3 +243,3 @@ should.exist(err); | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, isAuthenticated, credentials, ext) { | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, ext) { | ||
@@ -268,3 +268,3 @@ should.exist(err); | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, isAuthenticated, credentials, ext) { | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, ext) { | ||
@@ -293,3 +293,3 @@ should.exist(err); | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, isAuthenticated, credentials, ext) { | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, ext) { | ||
@@ -323,3 +323,3 @@ should.exist(err); | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, isAuthenticated, credentials, ext) { | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, ext) { | ||
@@ -354,3 +354,3 @@ should.exist(err); | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, isAuthenticated, credentials, ext) { | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, ext) { | ||
@@ -385,3 +385,3 @@ should.exist(err); | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, isAuthenticated, credentials, ext) { | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, ext) { | ||
@@ -388,0 +388,0 @@ should.exist(err); |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
47868
290