hawk
Advanced tools
Comparing version 0.15.0 to 1.0.0
@@ -45,3 +45,10 @@ // Load modules | ||
| var hostHeaderRegex = /^(?:(?:\r\n)?[\t ])*([^:]+)(?::(\d+))?(?:(?:\r\n)?[\t ])*$/; // Does not support IPv6 | ||
| var hostHeaderRegex; | ||
| if (hostHeader[0] === '[') { | ||
| hostHeaderRegex = /^(?:(?:\r\n)?\s)*(\[[^\]]+\])(?::(\d+))?(?:(?:\r\n)?\s)*$/; // IPv6 | ||
| } | ||
| else { | ||
| hostHeaderRegex = /^(?:(?:\r\n)?\s)*([^:]+)(?::(\d+))?(?:(?:\r\n)?\s)*$/; // IPv4, hostname | ||
| } | ||
| var hostParts = hostHeader.match(hostHeaderRegex); | ||
@@ -48,0 +55,0 @@ |
| { | ||
| "name": "hawk", | ||
| "description": "HTTP Hawk Authentication Scheme", | ||
| "version": "0.15.0", | ||
| "version": "1.0.0", | ||
| "author": "Eran Hammer <eran@hueniverse.com> (http://hueniverse.com)", | ||
@@ -6,0 +6,0 @@ "contributors": [], |
@@ -6,3 +6,3 @@  | ||
| Current version: **0.15** | ||
| Current version: **1.0** | ||
@@ -34,2 +34,3 @@ [](http://travis-ci.org/hueniverse/hawk) | ||
| - [Bewit Limitations](#bewit-limitations) | ||
| - [Host Header Forgery](#host-header-forgery) | ||
| <p></p> | ||
@@ -234,3 +235,3 @@ - [**Frequently Asked Questions**](#frequently-asked-questions) | ||
| GET | ||
| /resource?a=1&b=2 | ||
| /resource/1?b=1&a=2 | ||
| example.com | ||
@@ -299,3 +300,3 @@ 8000 | ||
| POST | ||
| /resource?a=1&b=2 | ||
| /resource/1?a=1&b=2 | ||
| example.com | ||
@@ -312,3 +313,3 @@ 8000 | ||
| ``` | ||
| POST /resource/1 HTTP/1.1 | ||
| POST /resource/1?a=1&b=2 HTTP/1.1 | ||
| Host: example.com:8000 | ||
@@ -532,3 +533,9 @@ Authorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", hash="Yi9LfIIFRtBEPt74PVmbTF/xVAwPn7ub15ePICfgnuY=", ext="some-app-ext-data", mac="aSe1DERmZuRl3pI36/9BdZmnErTw3sNzOOAUlfeKjVw=" | ||
| ### Host Header Forgery | ||
| Hawk validates the incoming request MAC against the incoming HTTP Host header. However, unless the optional `host` and `port` | ||
| options are used with `server.authenticate()`, a malicous client can mint new host names pointing to the server's IP address and | ||
| use that to craft an attack by sending a valid request that's meant for another hostname than the one used by the server. Server | ||
| implementors must manually verify that the host header received matches their expectation (or use the options mentioned above). | ||
| # Frequently Asked Questions | ||
@@ -535,0 +542,0 @@ |
@@ -60,2 +60,40 @@ // Load modules | ||
| }); | ||
| it('returns port 443 for non tls node request (IPv6)', function (done) { | ||
| var req = { | ||
| method: 'POST', | ||
| url: '/resource/4?filter=a', | ||
| headers: { | ||
| host: '[123:123:123]', | ||
| 'content-type': 'text/plain;x=y' | ||
| }, | ||
| connection: { | ||
| encrypted: true | ||
| } | ||
| }; | ||
| expect(Hawk.utils.parseHost(req, 'Host').port).to.equal(443); | ||
| done(); | ||
| }); | ||
| it('parses IPv6 headers', function (done) { | ||
| var req = { | ||
| method: 'POST', | ||
| url: '/resource/4?filter=a', | ||
| headers: { | ||
| host: '[123:123:123]:8000', | ||
| 'content-type': 'text/plain;x=y' | ||
| }, | ||
| connection: { | ||
| encrypted: true | ||
| } | ||
| }; | ||
| var host = Hawk.utils.parseHost(req, 'Host'); | ||
| expect(host.port).to.equal('8000'); | ||
| expect(host.name).to.equal('[123:123:123]'); | ||
| done(); | ||
| }); | ||
| }); | ||
@@ -62,0 +100,0 @@ |
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
No v1
QualityPackage is not semver >=1. This means it is not stable and does not support ^ ranges.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by0.72%
282565
- Lines of code
- increased by1.1%
3507
- Number of low quality alerts
- decreased by-50%
1
- Number of lines in readme file
- increased by1.13%
628