Comparing version 6.0.0 to 6.0.1
@@ -11,3 +11,3 @@ 'use strict'; | ||
var _typeof = typeof Symbol === "function" && typeof Symbol.iterator === "symbol" ? function (obj) { return typeof obj; } : function (obj) { return obj && typeof Symbol === "function" && obj.constructor === Symbol ? "symbol" : typeof obj; }; | ||
var _typeof = typeof Symbol === "function" && typeof Symbol.iterator === "symbol" ? function (obj) { return typeof obj; } : function (obj) { return obj && typeof Symbol === "function" && obj.constructor === Symbol && obj !== Symbol.prototype ? "symbol" : typeof obj; }; | ||
@@ -14,0 +14,0 @@ var hawk = { |
{ | ||
"name": "hawk", | ||
"description": "HTTP Hawk Authentication Scheme", | ||
"version": "6.0.0", | ||
"version": "6.0.1", | ||
"author": "Eran Hammer <eran@hammer.io> (http://hueniverse.com)", | ||
@@ -27,3 +27,3 @@ "repository": "git://github.com/hueniverse/hawk", | ||
"babel-preset-es2015": "^6.1.2", | ||
"code": "3.x.x", | ||
"code": "4.x.x", | ||
"lab": "11.x.x" | ||
@@ -30,0 +30,0 @@ }, |
@@ -74,8 +74,8 @@ ![hawk Logo](https://raw.github.com/hueniverse/hawk/master/images/hawk.png) | ||
Without replay protection, an attacker can use a compromised (but otherwise valid and authenticated) request more | ||
than once, gaining access to a protected resource. To mitigate this, clients include both a nonce and a timestamp when | ||
Without replay protection, an attacker can use a compromised (but otherwise valid and authenticated) request more | ||
than once, gaining access to a protected resource. To mitigate this, clients include both a nonce and a timestamp when | ||
making requests. This gives the server enough information to prevent replay attacks. | ||
The nonce is generated by the client, and is a string unique across all requests with the same timestamp and | ||
key identifier combination. | ||
key identifier combination. | ||
@@ -103,4 +103,4 @@ The timestamp enables the server to restrict the validity period of the credentials where requests occurring afterwards | ||
```javascript | ||
var Http = require('http'); | ||
var Hawk = require('hawk'); | ||
const Http = require('http'); | ||
const Hawk = require('hawk'); | ||
@@ -110,5 +110,5 @@ | ||
var credentialsFunc = function (id, callback) { | ||
const credentialsFunc = function (id, callback) { | ||
var credentials = { | ||
const credentials = { | ||
key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn', | ||
@@ -124,16 +124,16 @@ algorithm: 'sha256', | ||
var handler = function (req, res) { | ||
const handler = function (req, res) { | ||
// Authenticate incoming request | ||
Hawk.server.authenticate(req, credentialsFunc, {}, function (err, credentials, artifacts) { | ||
Hawk.server.authenticate(req, credentialsFunc, {}, (err, credentials, artifacts) => { | ||
// Prepare response | ||
var payload = (!err ? 'Hello ' + credentials.user + ' ' + artifacts.ext : 'Shoosh!'); | ||
var headers = { 'Content-Type': 'text/plain' }; | ||
const payload = (!err ? `Hello ${credentials.user} ${artifacts.ext}` : 'Shoosh!'); | ||
const headers = { 'Content-Type': 'text/plain' }; | ||
// Generate Server-Authorization response header | ||
var header = Hawk.server.header(credentials, artifacts, { payload: payload, contentType: headers['Content-Type'] }); | ||
const header = Hawk.server.header(credentials, artifacts, { payload, contentType: headers['Content-Type'] }); | ||
headers['Server-Authorization'] = header; | ||
@@ -156,4 +156,4 @@ | ||
```javascript | ||
var Request = require('request'); | ||
var Hawk = require('hawk'); | ||
const Request = require('request'); | ||
const Hawk = require('hawk'); | ||
@@ -163,3 +163,3 @@ | ||
var credentials = { | ||
const credentials = { | ||
id: 'dh37fgj492je', | ||
@@ -172,3 +172,3 @@ key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn', | ||
var requestOptions = { | ||
const requestOptions = { | ||
uri: 'http://example.com:8000/resource/1?b=1&a=2', | ||
@@ -181,3 +181,3 @@ method: 'GET', | ||
var header = Hawk.client.header('http://example.com:8000/resource/1?b=1&a=2', 'GET', { credentials: credentials, ext: 'some-app-data' }); | ||
const header = Hawk.client.header('http://example.com:8000/resource/1?b=1&a=2', 'GET', { credentials: credentials, ext: 'some-app-data' }); | ||
requestOptions.headers.Authorization = header.field; | ||
@@ -191,7 +191,7 @@ | ||
var isValid = Hawk.client.authenticate(response, credentials, header.artifacts, { payload: body }); | ||
const isValid = Hawk.client.authenticate(response, credentials, header.artifacts, { payload: body }); | ||
// Output results | ||
console.log(response.statusCode + ': ' + body + (isValid ? ' (valid)' : ' (invalid)')); | ||
console.log(`${response.statusCode}: ${body}` + (isValid ? ' (valid)' : ' (invalid)')); | ||
}); | ||
@@ -225,8 +225,8 @@ ``` | ||
The client has previously obtained a set of **Hawk** credentials for accessing resources on the "http://example.com/" | ||
The client has previously obtained a set of **Hawk** credentials for accessing resources on the "`http://example.com/`" | ||
server. The **Hawk** credentials issued to the client include the following attributes: | ||
* Key identifier: dh37fgj492je | ||
* Key: werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn | ||
* Algorithm: sha256 | ||
* Key identifier: `dh37fgj492je` | ||
* Key: `werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn` | ||
* Algorithm: `sha256` | ||
@@ -250,3 +250,3 @@ The client generates the authentication header by calculating a timestamp (e.g. the number of seconds since January 1, | ||
The request MAC is calculated using HMAC with the specified hash algorithm "sha256" and the key over the normalized request string. | ||
The request MAC is calculated using HMAC with the specified hash algorithm "`sha256`" and the key over the normalized request string. | ||
The result is base64-encoded to produce the request MAC: | ||
@@ -324,3 +324,3 @@ | ||
It is up to the server if and when it validates the payload for any given request, based solely on it's security policy | ||
It is up to the server if and when it validates the payload for any given request, based solely on its security policy | ||
and the nature of the data included. | ||
@@ -347,3 +347,3 @@ | ||
The header is contructed using the same process as the client's request header. The server uses the same credentials and other | ||
The header is constructed using the same process as the client's request header. The server uses the same credentials and other | ||
artifacts provided by the client to constructs the normalized request string. The `ext` and `hash` values are replaced with | ||
@@ -385,3 +385,3 @@ new values based on the server response. The rest as identical to those used by the client. | ||
In order to simplify implementation, bewit credentials do not support single-use policy and can be replayed multiple times within | ||
the granted access timeframe. | ||
the granted access timeframe. | ||
@@ -394,4 +394,4 @@ | ||
```javascript | ||
var Http = require('http'); | ||
var Hawk = require('hawk'); | ||
const Http = require('http'); | ||
const Hawk = require('hawk'); | ||
@@ -401,5 +401,5 @@ | ||
var credentialsFunc = function (id, callback) { | ||
const credentialsFunc = function (id, callback) { | ||
var credentials = { | ||
const credentials = { | ||
key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn', | ||
@@ -414,5 +414,5 @@ algorithm: 'sha256' | ||
var handler = function (req, res) { | ||
const handler = function (req, res) { | ||
Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) { | ||
Hawk.uri.authenticate(req, credentialsFunc, {}, (err, credentials, attributes) => { | ||
@@ -430,4 +430,4 @@ res.writeHead(!err ? 200 : 401, { 'Content-Type': 'text/plain' }); | ||
```javascript | ||
var Request = require('request'); | ||
var Hawk = require('hawk'); | ||
const Request = require('request'); | ||
const Hawk = require('hawk'); | ||
@@ -437,3 +437,3 @@ | ||
var credentials = { | ||
const credentials = { | ||
id: 'dh37fgj492je', | ||
@@ -446,5 +446,9 @@ key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn', | ||
var duration = 60 * 5; // 5 Minutes | ||
var bewit = Hawk.uri.getBewit('http://example.com:8080/resource/1?b=1&a=2', { credentials: credentials, ttlSec: duration, ext: 'some-app-data' }); | ||
var uri = 'http://example.com:8000/resource/1?b=1&a=2' + '&bewit=' + bewit; | ||
const duration = 60 * 5; // 5 Minutes | ||
const bewit = Hawk.uri.getBewit('http://example.com:8000/resource/1?b=1&a=2', { credentials: credentials, ttlSec: duration, ext: 'some-app-data' }); | ||
const uri = 'http://example.com:8000/resource/1?b=1&a=2' + '&bewit=' + bewit; | ||
// Output URI | ||
console.log('URI: ' + uri); | ||
``` | ||
@@ -515,5 +519,5 @@ | ||
The response authentication, when performed, only covers the response payload, content-type, and the request information | ||
provided by the client in it's request (method, resource, timestamp, nonce, etc.). It does not cover the HTTP status code or | ||
any other response header field (e.g. Location) which can affect the client's behaviour. | ||
The response authentication, when performed, only covers the response payload, content-type, and the request information | ||
provided by the client in its request (method, resource, timestamp, nonce, etc.). It does not cover the HTTP status code or | ||
any other response header field (e.g. `Location`) which can affect the client's behaviour. | ||
@@ -551,3 +555,3 @@ ### Future Time Manipulation | ||
Hawk validates the incoming request MAC against the incoming HTTP Host header. However, unless the optional `host` and `port` | ||
options are used with `server.authenticate()`, a malicous client can mint new host names pointing to the server's IP address and | ||
options are used with `server.authenticate()`, a malicious client can mint new host names pointing to the server's IP address and | ||
use that to craft an attack by sending a valid request that's meant for another hostname than the one used by the server. Server | ||
@@ -554,0 +558,0 @@ implementors must manually verify that the host header received matches their expectation (or use the options mentioned above). |
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
127709
636