hawk - npm Package Compare versions

Comparing version 0.11.1 to 0.12.0

example/usage.js

@@ -0,0 +0,0 @@ // Load modules

lib/browser.js

@@ -15,3 +15,3 @@ /*
 
-if (module && module.exports) {
+if (typeof module !== "undefined" && module.exports) {
     module.exports = hawk;
@@ -39,3 +39,3 @@ }
         ext: 'application-specific',                        // Application specific data sent via the ext attribute
-        timestamp: Date.now(),                              // A pre-calculated timestamp
+        timestamp: Date.now() / 1000,                       // A pre-calculated timestamp in seconds
         nonce: '2334f34f',                                  // A pre-generated nonce
@@ -172,2 +172,4 @@ localtimeOffsetMsec: 400,                           // Time offset to sync with server time (ignored if timestamp provided)
                 }
+
+                hawk.utils.ntpOffset = (attributes.ts - Math.floor(Date.now() / 1000));     // Keep offset at 1 second precision
             }
@@ -280,5 +282,7 @@ }
 
+    ntpOffset: 0,
+
     now: function () {
 
-        return Date.now();
+        return Date.now() + hawk.utils.ntpOffset;
     },
@@ -285,0 +289,0 @@

lib/server.js

@@ -189,3 +189,3 @@ // Load modules
             if (Math.abs((attributes.ts * 1000) - now) > (options.timestampSkewSec * 1000)) {
-                var fresh = Utils.now() + (options.localtimeOffsetMsec || 0);                                   // Get fresh now
+                var fresh = Math.floor((Utils.now() + (options.localtimeOffsetMsec || 0)) / 1000);            // Get fresh now
                 var tsm = Crypto.calculateTsMac(fresh, credentials);
@@ -192,0 +192,0 @@ return callback(Boom.unauthorized('Stale timestamp', 'Hawk', { ts: fresh, tsm: tsm }), credentials, artifacts);

package.json

 {
   "name": "hawk",
   "description": "HTTP Hawk Authentication Scheme",
-  "version": "0.11.1",
+  "version": "0.12.0",
   "author": "Eran Hammer <eran@hueniverse.com> (http://hueniverse.com)",
@@ -16,12 +16,12 @@ "contributors": [],
   "engines": {
-    "node": "0.8.x"
+    "node": "0.10.x"
   },
   "dependencies": {
-    "hoek": "0.7.x",
-    "boom": "0.3.x",
-    "cryptiles": "0.1.x",
-    "sntp": "0.1.x"
+    "hoek": "0.8.x",
+    "boom": "0.4.x",
+    "cryptiles": "0.2.x",
+    "sntp": "0.2.x"
   },
   "devDependencies": {
-    "lab": "0.0.x",
+    "lab": "0.1.x",
     "complexity-report": "0.x.x"
@@ -28,0 +28,0 @@ },

README.md

@@ -6,3 +6,3 @@ ![hawk Logo](https://raw.github.com/hueniverse/hawk/master/images/hawk.png)
 
-Current version: **0.11.1**
+Current version: **0.12.0**
 
@@ -19,3 +19,3 @@ [![Build Status](https://secure.travis-ci.org/hueniverse/hawk.png)](http://travis-ci.org/hueniverse/hawk)
     - [Response Payload Validation](#response-payload-validation)
-  - [Browser Support](#browser-support)
+  - [Browser Support and Considerations](#browser-support-and-considerations)
 <p></p>
@@ -90,3 +90,4 @@ - [**Single URI Authorization**](#single-uri-authorization)
 clock and the server clock to use NTP to ensure synchronization. However, given the limitations of some client types
-(e.g. browsers) to deploy NTP, the server provides the client with its current time in response to a bad timestamp.
+(e.g. browsers) to deploy NTP, the server provides the client with its current time (in seconds precision) in response
+to a bad timestamp.
 
@@ -348,7 +349,10 @@ There is no expectation that the client will adjust its system clock to match the server (in fact, this would be a
 
-## Browser Support
+## Browser Support and Considerations
 
 An experimental browser script is provided for including using a `<script>` tag in [lib/browser.js](/lib/browser.js).
 
+**Hawk** relies on the _Server-Authorization_ and _WWW-Authenticate_ headers in its response to communicate with the client. Therefore, in case of CORS requests, it is important to consider sending _Access-Control-Expose-Headers_ with the value _"WWW-Authenticate, Server-Authorization"_ on each response from your server. As explained in the [specifications](http://www.w3.org/TR/cors/#access-control-expose-headers-response-header), it will indicate that these headers can safely be accessed by the client (using getResponseHeader() on the XmlHttpRequest object). Otherwise you will be met with a ["simple response header"](http://www.w3.org/TR/cors/#simple-response-header) which excludes these fields and would prevent the Hawk client from authenticating the requests.
+You can read more about the why and how in this [article](http://www.html5rocks.com/en/tutorials/cors/#toc-adding-cors-support-to-the-server)
 
+
 # Single URI Authorization
@@ -355,0 +359,0 @@

test/browser.js

@@ -189,2 +189,51 @@ // Load modules
 
+    it('should generate a header with stale ts and successfully authenticate on second call', function (done) {
+
+        var req = {
+            method: 'GET',
+            url: '/resource/4?filter=a',
+            host: 'example.com',
+            port: 8080
+        };
+
+        credentialsFunc('123456', function (err, credentials) {
+
+            Browser.utils.ntpOffset = 60 * 60 * 1000;
+            var header = Browser.client.header('http://example.com:8080/resource/4?filter=a', req.method, { credentials: credentials, ext: 'some-app-data' });
+            req.authorization = header.field;
+            expect(req.authorization).to.exist;
+
+            Hawk.server.authenticate(req, credentialsFunc, {}, function (err, credentials, artifacts) {
+
+                expect(err).to.exist;
+                expect(err.message).to.equal('Stale timestamp');
+
+                var res = {
+                    headers: {
+                        'www-authenticate': err.response.headers['WWW-Authenticate']
+                    },
+                    getResponseHeader: function (header) {
+
+                        return res.headers[header.toLowerCase()];
+                    }
+                };
+
+                expect(Browser.utils.ntpOffset).to.equal(60 * 60 * 1000);
+                expect(Browser.client.authenticate(res, credentials, header.artifacts)).to.equal(true);
+                expect(Browser.utils.ntpOffset).to.equal(0);
+
+                req.authorization = Browser.client.header('http://example.com:8080/resource/4?filter=a', req.method, { credentials: credentials, ext: 'some-app-data' }).field;
+                expect(req.authorization).to.exist;
+
+                Hawk.server.authenticate(req, credentialsFunc, {}, function (err, credentials, artifacts) {
+
+                    expect(err).to.not.exist;
+                    expect(credentials.user).to.equal('steve');
+                    expect(artifacts.ext).to.equal('some-app-data');
+                    done();
+                });
+            });
+        });
+    });
+
     it('should generate a header then fails to parse it (missing server header hash)', function (done) {
@@ -191,0 +240,0 @@

test/server.js

@@ -129,3 +129,3 @@ // Load modules
                     var now = Hawk.utils.now();
-                    expect(parseInt(ts[1], 10)).to.be.within(now - 1, now + 1);
+                    expect(parseInt(ts[1], 10) * 1000).to.be.within(now - 1000, now + 1000);
 
@@ -132,0 +132,0 @@ var res = {

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

259047

increased by1.62%

Lines of code

2996

increased by1.32%

Number of lines in readme file

615

increased by0.65%

Dependency changes

• + Addedboom@0.4.2(transitive)

• + Addedcryptiles@0.2.2(transitive)

• + Addedhoek@0.8.50.9.1(transitive)

• + Addedsntp@0.2.4(transitive)

• - Removedboom@0.3.8(transitive)

• - Removedcryptiles@0.1.3(transitive)

• - Removedhoek@0.7.6(transitive)

• - Removedsntp@0.1.4(transitive)

• Updatedboom@0.4.x

• Updatedcryptiles@0.2.x

• Updatedhoek@0.8.x

• Updatedsntp@0.2.x