Socket
Socket
Sign inDemoInstall

http-signature

Package Overview
Dependencies
15
Maintainers
8
Versions
28
Alerts
File Explorer

Advanced tools

Install Socket

Protect your apps from supply chain attacks

Install

http-signature

Reference implementation of Joyent's HTTP Signature scheme.

    1.4.0latest
    GitHub
    npm

Version published
Maintainers
8
Weekly downloads
19,341,266
increased by2.53%

Weekly downloads

Package description

What is http-signature?

The http-signature npm package is used to create and verify HTTP request signatures. It is based on the Joyent HTTP Signature Scheme and allows for signing HTTP messages for authentication and message integrity. This package is commonly used in APIs and web services to ensure that HTTP requests are made by authenticated users and have not been tampered with in transit.

What are http-signature's main functionalities?

Signing HTTP Requests

This feature allows you to sign an HTTP request using a private key. The resulting signature is added to the request's headers, which can then be verified by the server to authenticate the request.

const httpSignature = require('http-signature');
const fs = require('fs');

const privateKey = fs.readFileSync('private.pem', 'ascii');

const requestOptions = {
  method: 'GET',
  path: '/foo',
  headers: {}
};

httpSignature.sign(requestOptions, {
  key: privateKey,
  keyId: 'myKeyId'
});

console.log(requestOptions.headers);

Verifying HTTP Requests

This feature allows you to verify the signature of an incoming HTTP request using a public key. If the signature is valid, it means the request was signed by the holder of the corresponding private key and has not been altered.

const httpSignature = require('http-signature');
const fs = require('fs');

const publicKey = fs.readFileSync('public.pem', 'ascii');

const request = {
  method: 'GET',
  url: '/foo',
  headers: {
    // headers should include the 'authorization' header with the signature
  }
};

const isValid = httpSignature.verifySignature(request, publicKey);

console.log(isValid);

Other packages similar to http-signature

Changelog

Source

1.4.0

  • Update sshpk for ed25519 support

Readme

Source

node-http-signature

node-http-signature is a node.js library that has client and server components for Joyent's HTTP Signature Scheme.

Usage

Note the example below signs a request with the same key/cert used to start an HTTP server. This is almost certainly not what you actually want, but is just used to illustrate the API calls; you will need to provide your own key management in addition to this library.

Client

var fs = require('fs');
var https = require('https');
var httpSignature = require('http-signature');

var key = fs.readFileSync('./key.pem', 'ascii');

var options = {
  host: 'localhost',
  port: 8443,
  path: '/',
  method: 'GET',
  headers: {}
};

// Adds a 'Date' header in, signs it, and adds the
// 'Authorization' header in.
var req = https.request(options, function(res) {
  console.log(res.statusCode);
});


httpSignature.sign(req, {
  key: key,
  keyId: './cert.pem',
  keyPassphrase: 'secret' // (optional)
});

req.end();

Server

var fs = require('fs');
var https = require('https');
var httpSignature = require('http-signature');

var options = {
  key: fs.readFileSync('./key.pem'),
  cert: fs.readFileSync('./cert.pem')
};

https.createServer(options, function (req, res) {
  var rc = 200;
  var parsed = httpSignature.parseRequest(req);
  var pub = fs.readFileSync(parsed.keyId, 'ascii');
  if (!httpSignature.verifySignature(parsed, pub))
    rc = 401;

  res.writeHead(rc);
  res.end();
}).listen(8443);

Installation

npm install http-signature

License

MIT.

Bugs

See https://github.com/joyent/node-http-signature/issues.

Keywords

FAQs

Last updated on 15 Nov 2023

Did you know?

Socket installs a GitHub app to automatically flag issues on every pull request and report the health of your dependencies. Find out what is inside your node modules and prevent malicious activity before you update the dependencies.

Install

Related posts

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

Stay in touch

Get open source security insights delivered straight into your inbox.


  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc