Comparing version 0.7.1 to 0.8.1
@@ -36,3 +36,5 @@ // Load modules | ||
hash: 'U4MKKSmiVxk37JCCrAVIjV/OhB3y+NdwoCr6RShbVkE=', | ||
ext: 'app-specific-data' | ||
ext: 'app-specific-data', | ||
app: 'hf48hd83qwkj', // Application id (Oz) | ||
dlg: 'd8djwekds9cj' // Delegated by application id (Oz), requires options.app | ||
}; | ||
@@ -61,5 +63,15 @@ */ | ||
options.port + '\n' + | ||
(options.hash || '') + '\n' + | ||
(options.ext || '') + '\n'; | ||
(options.hash || '') + '\n'; | ||
if (options.ext) { | ||
normalized += options.ext.replace('\\', '\\\\').replace('\n', '\\n'); | ||
} | ||
normalized += '\n'; | ||
if (options.app) { | ||
normalized += options.app + '\n' + | ||
(options.dlg || '') + '\n'; | ||
} | ||
return normalized; | ||
@@ -66,0 +78,0 @@ }; |
@@ -134,3 +134,3 @@ // Load modules | ||
if (['id', 'ts', 'nonce', 'hash', 'ext', 'mac'].indexOf($1) === -1) { | ||
if (['id', 'ts', 'nonce', 'hash', 'ext', 'mac', 'app', 'dlg'].indexOf($1) === -1) { | ||
errorMessage = 'Unknown attribute: ' + $1; | ||
@@ -213,3 +213,5 @@ return; | ||
hash: attributes.hash, | ||
ext: attributes.ext | ||
ext: attributes.ext, | ||
app: attributes.app, | ||
dlg: attributes.dlg | ||
}); | ||
@@ -256,3 +258,3 @@ | ||
* credentials is an object with the following keys: 'id, 'key', 'algorithm'. | ||
* options is an object with the following optional keys: 'ext', 'timestamp', 'nonce', 'localtimeOffsetMsec', 'payload' | ||
* options is an object with the following optional keys: 'ext', 'timestamp', 'nonce', 'localtimeOffsetMsec', 'payload' (also supports 'app' and 'dlg' for Oz) | ||
*/ | ||
@@ -263,3 +265,2 @@ | ||
options = options || {}; | ||
options.ext = (options.ext === null || options.ext === undefined ? '' : options.ext); // Zero is valid value | ||
@@ -306,3 +307,5 @@ // Application time | ||
hash: hash, | ||
ext: options.ext | ||
ext: options.ext, | ||
app: options.app, | ||
dlg: options.dlg | ||
}; | ||
@@ -314,2 +317,3 @@ | ||
var hasExt = options.ext !== null && options.ext !== undefined && options.ext !== ''; // Other falsey values allowed | ||
var header = 'Hawk id="' + credentials.id + | ||
@@ -319,5 +323,10 @@ '", ts="' + artifacts.timestamp + | ||
(hash ? '", hash="' + hash : '') + | ||
(options.ext ? '", ext="' + Utils.escapeHeaderAttribute(options.ext) : '') + | ||
(hasExt ? '", ext="' + Utils.escapeHeaderAttribute(options.ext) : '') + | ||
'", mac="' + mac + '"'; | ||
if (options.app) { | ||
header += ', app="' + options.app + | ||
(options.dlg ? '", dlg="' + options.dlg : '') + '"'; | ||
} | ||
return header; | ||
@@ -324,0 +333,0 @@ }; |
{ | ||
"name": "hawk", | ||
"description": "HTTP Hawk Authentication Scheme", | ||
"version": "0.7.1", | ||
"version": "0.8.1", | ||
"author": "Eran Hammer <eran@hueniverse.com> (http://hueniverse.com)", | ||
@@ -6,0 +6,0 @@ "contributors": [], |
![hawk Logo](https://raw.github.com/hueniverse/hawk/master/images/hawk.png) | ||
<img align="right" src="https://raw.github.com/hueniverse/hawk/master/images/logo.png" /> **Hawk** is an HTTP authentication scheme using a message authentication code (MAC) algorithm to provide partial | ||
HTTP request cryptographic verification. For more complex use cases such as access delegation, see [Oz](/hueniverse/oz). | ||
HTTP request cryptographic verification. For more complex use cases such as access delegation, see [Oz](https://github.com/hueniverse/oz). | ||
@@ -507,3 +507,14 @@ Current version: **0.6.1** | ||
### What are `app` and `dlg` in the authorization header and normalized mac string? | ||
The original motivation for **Hawk** was to replace the OAuth 1.0 use cases. This included both a simple client-server mode which | ||
this module is specifically designed for, and a delegated access mode which is being developed separately in | ||
[Oz](https://github.com/hueniverse/oz). In addition to the **Hawk** use cases, Oz requires another attribute: the application id `app`. | ||
This provides binding between the credentials and the application in a way that prevents an attacker from tricking an application | ||
to use credentials issued to someone else. It also has an optional 'delegated-by' attribute `dlg` which is the application id of the | ||
application the credentials were directly issued to. | ||
The goal of these two additions is to allow Oz to utilize **Hawk** directly, but with the additional security of delegated credentials. | ||
The additional support has been added without breaking or affecting **Hawk**-only use cases. | ||
# Acknowledgements | ||
@@ -510,0 +521,0 @@ |
@@ -122,2 +122,26 @@ // Load modules | ||
it('should generate a header then successfully parse it (app, dlg)', function (done) { | ||
var req = { | ||
method: 'GET', | ||
url: '/resource/4?filter=a', | ||
host: 'example.com', | ||
port: 8080 | ||
}; | ||
credentialsFunc('123456', function (err, credentials) { | ||
req.authorization = Hawk.getAuthorizationHeader(credentials, req.method, req.url, req.host, req.port, { ext: 'some-app-data', app: 'asd23ased', dlg: '23434szr3q4d' }); | ||
Hawk.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) { | ||
expect(err).to.not.exist; | ||
expect(credentials.user).to.equal('steve'); | ||
expect(attributes.ext).to.equal('some-app-data'); | ||
expect(attributes.app).to.equal('asd23ased'); | ||
expect(attributes.dlg).to.equal('23434szr3q4d'); | ||
done(); | ||
}); | ||
}); | ||
}); | ||
it('should generate a header then fail authentication due to bad hash', function (done) { | ||
@@ -124,0 +148,0 @@ |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
181977
1639
527