hawk - npm Package Compare versions

18

lib/crypto.js

		@@ -36,3 +36,5 @@ // Load modules
		hash: 'U4MKKSmiVxk37JCCrAVIjV/OhB3y+NdwoCr6RShbVkE=',
		ext: 'app-specific-data'
		ext: 'app-specific-data',
		app: 'hf48hd83qwkj', // Application id (Oz)
		dlg: 'd8djwekds9cj' // Delegated by application id (Oz), requires options.app
		};
		@@ -61,5 +63,15 @@ */
		options.port + '\n' +
		(options.hash \|\| '') + '\n' +
		(options.ext \|\| '') + '\n';
		(options.hash \|\| '') + '\n';

		if (options.ext) {
		normalized += options.ext.replace('\\', '\\\\').replace('\n', '\\n');
		}

		normalized += '\n';

		if (options.app) {
		normalized += options.app + '\n' +
		(options.dlg \|\| '') + '\n';
		}

		return normalized;
		@@ -66,0 +78,0 @@ };

21

lib/index.js

		@@ -134,3 +134,3 @@ // Load modules

		if (['id', 'ts', 'nonce', 'hash', 'ext', 'mac'].indexOf($1) === -1) {
		if (['id', 'ts', 'nonce', 'hash', 'ext', 'mac', 'app', 'dlg'].indexOf($1) === -1) {
		errorMessage = 'Unknown attribute: ' + $1;
		@@ -213,3 +213,5 @@ return;
		hash: attributes.hash,
		ext: attributes.ext
		ext: attributes.ext,
		app: attributes.app,
		dlg: attributes.dlg
		});
		@@ -256,3 +258,3 @@
		* credentials is an object with the following keys: 'id, 'key', 'algorithm'.
		* options is an object with the following optional keys: 'ext', 'timestamp', 'nonce', 'localtimeOffsetMsec', 'payload'
		* options is an object with the following optional keys: 'ext', 'timestamp', 'nonce', 'localtimeOffsetMsec', 'payload' (also supports 'app' and 'dlg' for Oz)
		*/
		@@ -263,3 +265,2 @@
		options = options \|\| {};
		options.ext = (options.ext === null \|\| options.ext === undefined ? '' : options.ext); // Zero is valid value

		@@ -306,3 +307,5 @@ // Application time
		hash: hash,
		ext: options.ext
		ext: options.ext,
		app: options.app,
		dlg: options.dlg
		};
		@@ -314,2 +317,3 @@

		var hasExt = options.ext !== null && options.ext !== undefined && options.ext !== ''; // Other falsey values allowed
		var header = 'Hawk id="' + credentials.id +
		@@ -319,5 +323,10 @@ '", ts="' + artifacts.timestamp +
		(hash ? '", hash="' + hash : '') +
		(options.ext ? '", ext="' + Utils.escapeHeaderAttribute(options.ext) : '') +
		(hasExt ? '", ext="' + Utils.escapeHeaderAttribute(options.ext) : '') +
		'", mac="' + mac + '"';

		if (options.app) {
		header += ', app="' + options.app +
		(options.dlg ? '", dlg="' + options.dlg : '') + '"';
		}

		return header;
		@@ -324,0 +333,0 @@ };

2

package.json

		{
		"name": "hawk",
		"description": "HTTP Hawk Authentication Scheme",
		"version": "0.7.1",
		"version": "0.8.1",
		"author": "Eran Hammer <eran@hueniverse.com> (http://hueniverse.com)",
		@@ -6,0 +6,0 @@ "contributors": [],

13

README.md

		![hawk Logo](https://raw.github.com/hueniverse/hawk/master/images/hawk.png)

		<img align="right" src="https://raw.github.com/hueniverse/hawk/master/images/logo.png" /> Hawk is an HTTP authentication scheme using a message authentication code (MAC) algorithm to provide partial
		HTTP request cryptographic verification. For more complex use cases such as access delegation, see [Oz](/hueniverse/oz).
		HTTP request cryptographic verification. For more complex use cases such as access delegation, see [Oz](https://github.com/hueniverse/oz).

		@@ -507,3 +507,14 @@ Current version: 0.6.1

		### What are `app` and `dlg` in the authorization header and normalized mac string?

		The original motivation for Hawk was to replace the OAuth 1.0 use cases. This included both a simple client-server mode which
		this module is specifically designed for, and a delegated access mode which is being developed separately in
		[Oz](https://github.com/hueniverse/oz). In addition to the Hawk use cases, Oz requires another attribute: the application id `app`.
		This provides binding between the credentials and the application in a way that prevents an attacker from tricking an application
		to use credentials issued to someone else. It also has an optional 'delegated-by' attribute `dlg` which is the application id of the
		application the credentials were directly issued to.

		The goal of these two additions is to allow Oz to utilize Hawk directly, but with the additional security of delegated credentials.
		The additional support has been added without breaking or affecting Hawk-only use cases.

		# Acknowledgements
		@@ -510,0 +521,0 @@

24

test/index.js

		@@ -122,2 +122,26 @@ // Load modules

		it('should generate a header then successfully parse it (app, dlg)', function (done) {

		var req = {
		method: 'GET',
		url: '/resource/4?filter=a',
		host: 'example.com',
		port: 8080
		};

		credentialsFunc('123456', function (err, credentials) {

		req.authorization = Hawk.getAuthorizationHeader(credentials, req.method, req.url, req.host, req.port, { ext: 'some-app-data', app: 'asd23ased', dlg: '23434szr3q4d' });
		Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {

		expect(err).to.not.exist;
		expect(credentials.user).to.equal('steve');
		expect(attributes.ext).to.equal('some-app-data');
		expect(attributes.app).to.equal('asd23ased');
		expect(attributes.dlg).to.equal('23434szr3q4d');
		done();
		});
		});
		});

		it('should generate a header then fail authentication due to bad hash', function (done) {
		@@ -124,0 +148,0 @@

hawk - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics