hawk - npm Package Compare versions

Comparing version 6.0.0 to 6.0.1

dist/browser.js

		@@ -11,3 +11,3 @@ 'use strict';

		var _typeof = typeof Symbol === "function" && typeof Symbol.iterator === "symbol" ? function (obj) { return typeof obj; } : function (obj) { return obj && typeof Symbol === "function" && obj.constructor === Symbol ? "symbol" : typeof obj; };
		var _typeof = typeof Symbol === "function" && typeof Symbol.iterator === "symbol" ? function (obj) { return typeof obj; } : function (obj) { return obj && typeof Symbol === "function" && obj.constructor === Symbol && obj !== Symbol.prototype ? "symbol" : typeof obj; };

		@@ -14,0 +14,0 @@ var hawk = {

package.json

		{
		"name": "hawk",
		"description": "HTTP Hawk Authentication Scheme",
		"version": "6.0.0",
		"version": "6.0.1",
		"author": "Eran Hammer <eran@hammer.io> (http://hueniverse.com)",
		@@ -27,3 +27,3 @@ "repository": "git://github.com/hueniverse/hawk",
		"babel-preset-es2015": "^6.1.2",
		"code": "3.x.x",
		"code": "4.x.x",
		"lab": "11.x.x"
		@@ -30,0 +30,0 @@ },

README.md

		@@ -74,8 +74,8 @@ ![hawk Logo](https://raw.github.com/hueniverse/hawk/master/images/hawk.png)

		Without replay protection, an attacker can use a compromised (but otherwise valid and authenticated) request more
		than once, gaining access to a protected resource. To mitigate this, clients include both a nonce and a timestamp when
		Without replay protection, an attacker can use a compromised (but otherwise valid and authenticated) request more
		than once, gaining access to a protected resource. To mitigate this, clients include both a nonce and a timestamp when
		making requests. This gives the server enough information to prevent replay attacks.

		The nonce is generated by the client, and is a string unique across all requests with the same timestamp and
		key identifier combination.
		key identifier combination.

		@@ -103,4 +103,4 @@ The timestamp enables the server to restrict the validity period of the credentials where requests occurring afterwards
		```javascript
		var Http = require('http');
		var Hawk = require('hawk');
		const Http = require('http');
		const Hawk = require('hawk');

		@@ -110,5 +110,5 @@

		var credentialsFunc = function (id, callback) {
		const credentialsFunc = function (id, callback) {

		var credentials = {
		const credentials = {
		key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
		@@ -124,16 +124,16 @@ algorithm: 'sha256',

		var handler = function (req, res) {
		const handler = function (req, res) {

		// Authenticate incoming request

		Hawk.server.authenticate(req, credentialsFunc, {}, function (err, credentials, artifacts) {
		Hawk.server.authenticate(req, credentialsFunc, {}, (err, credentials, artifacts) => {

		// Prepare response

		var payload = (!err ? 'Hello ' + credentials.user + ' ' + artifacts.ext : 'Shoosh!');
		var headers = { 'Content-Type': 'text/plain' };
		const payload = (!err ? `Hello ${credentials.user} ${artifacts.ext}` : 'Shoosh!');
		const headers = { 'Content-Type': 'text/plain' };

		// Generate Server-Authorization response header

		var header = Hawk.server.header(credentials, artifacts, { payload: payload, contentType: headers['Content-Type'] });
		const header = Hawk.server.header(credentials, artifacts, { payload, contentType: headers['Content-Type'] });
		headers['Server-Authorization'] = header;
		@@ -156,4 +156,4 @@
		```javascript
		var Request = require('request');
		var Hawk = require('hawk');
		const Request = require('request');
		const Hawk = require('hawk');

		@@ -163,3 +163,3 @@

		var credentials = {
		const credentials = {
		id: 'dh37fgj492je',
		@@ -172,3 +172,3 @@ key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',

		var requestOptions = {
		const requestOptions = {
		uri: 'http://example.com:8000/resource/1?b=1&a=2',
		@@ -181,3 +181,3 @@ method: 'GET',

		var header = Hawk.client.header('http://example.com:8000/resource/1?b=1&a=2', 'GET', { credentials: credentials, ext: 'some-app-data' });
		const header = Hawk.client.header('http://example.com:8000/resource/1?b=1&a=2', 'GET', { credentials: credentials, ext: 'some-app-data' });
		requestOptions.headers.Authorization = header.field;
		@@ -191,7 +191,7 @@

		var isValid = Hawk.client.authenticate(response, credentials, header.artifacts, { payload: body });
		const isValid = Hawk.client.authenticate(response, credentials, header.artifacts, { payload: body });

		// Output results

		console.log(response.statusCode + ': ' + body + (isValid ? ' (valid)' : ' (invalid)'));
		console.log(`${response.statusCode}: ${body}` + (isValid ? ' (valid)' : ' (invalid)'));
		});
		@@ -225,8 +225,8 @@ ```

		The client has previously obtained a set of Hawk credentials for accessing resources on the "http://example.com/"
		The client has previously obtained a set of Hawk credentials for accessing resources on the "`http://example.com/`"
		server. The Hawk credentials issued to the client include the following attributes:

		* Key identifier: dh37fgj492je
		* Key: werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn
		* Algorithm: sha256
		* Key identifier: `dh37fgj492je`
		* Key: `werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn`
		* Algorithm: `sha256`

		@@ -250,3 +250,3 @@ The client generates the authentication header by calculating a timestamp (e.g. the number of seconds since January 1,

		The request MAC is calculated using HMAC with the specified hash algorithm "sha256" and the key over the normalized request string.
		The request MAC is calculated using HMAC with the specified hash algorithm "`sha256`" and the key over the normalized request string.
		The result is base64-encoded to produce the request MAC:
		@@ -324,3 +324,3 @@

		It is up to the server if and when it validates the payload for any given request, based solely on it's security policy
		It is up to the server if and when it validates the payload for any given request, based solely on its security policy
		and the nature of the data included.
		@@ -347,3 +347,3 @@

		The header is contructed using the same process as the client's request header. The server uses the same credentials and other
		The header is constructed using the same process as the client's request header. The server uses the same credentials and other
		artifacts provided by the client to constructs the normalized request string. The `ext` and `hash` values are replaced with
		@@ -385,3 +385,3 @@ new values based on the server response. The rest as identical to those used by the client.
		In order to simplify implementation, bewit credentials do not support single-use policy and can be replayed multiple times within
		the granted access timeframe.
		the granted access timeframe.

		@@ -394,4 +394,4 @@
		```javascript
		var Http = require('http');
		var Hawk = require('hawk');
		const Http = require('http');
		const Hawk = require('hawk');

		@@ -401,5 +401,5 @@

		var credentialsFunc = function (id, callback) {
		const credentialsFunc = function (id, callback) {

		var credentials = {
		const credentials = {
		key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
		@@ -414,5 +414,5 @@ algorithm: 'sha256'

		var handler = function (req, res) {
		const handler = function (req, res) {

		Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
		Hawk.uri.authenticate(req, credentialsFunc, {}, (err, credentials, attributes) => {

		@@ -430,4 +430,4 @@ res.writeHead(!err ? 200 : 401, { 'Content-Type': 'text/plain' });
		```javascript
		var Request = require('request');
		var Hawk = require('hawk');
		const Request = require('request');
		const Hawk = require('hawk');

		@@ -437,3 +437,3 @@

		var credentials = {
		const credentials = {
		id: 'dh37fgj492je',
		@@ -446,5 +446,9 @@ key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',

		var duration = 60 * 5; // 5 Minutes
		var bewit = Hawk.uri.getBewit('http://example.com:8080/resource/1?b=1&a=2', { credentials: credentials, ttlSec: duration, ext: 'some-app-data' });
		var uri = 'http://example.com:8000/resource/1?b=1&a=2' + '&bewit=' + bewit;
		const duration = 60 * 5; // 5 Minutes
		const bewit = Hawk.uri.getBewit('http://example.com:8000/resource/1?b=1&a=2', { credentials: credentials, ttlSec: duration, ext: 'some-app-data' });
		const uri = 'http://example.com:8000/resource/1?b=1&a=2' + '&bewit=' + bewit;

		// Output URI

		console.log('URI: ' + uri);
		```
		@@ -515,5 +519,5 @@

		The response authentication, when performed, only covers the response payload, content-type, and the request information
		provided by the client in it's request (method, resource, timestamp, nonce, etc.). It does not cover the HTTP status code or
		any other response header field (e.g. Location) which can affect the client's behaviour.
		The response authentication, when performed, only covers the response payload, content-type, and the request information
		provided by the client in its request (method, resource, timestamp, nonce, etc.). It does not cover the HTTP status code or
		any other response header field (e.g. `Location`) which can affect the client's behaviour.

		@@ -551,3 +555,3 @@ ### Future Time Manipulation
		Hawk validates the incoming request MAC against the incoming HTTP Host header. However, unless the optional `host` and `port`
		options are used with `server.authenticate()`, a malicous client can mint new host names pointing to the server's IP address and
		options are used with `server.authenticate()`, a malicious client can mint new host names pointing to the server's IP address and
		use that to craft an attack by sending a valid request that's meant for another hostname than the one used by the server. Server
		@@ -554,0 +558,0 @@ implementors must manually verify that the host header received matches their expectation (or use the options mentioned above).

hawk - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics