http-signature
Advanced tools
Comparing version 1.2.0 to 1.3.0
@@ -29,3 +29,2 @@ // Copyright 2012 Joyent, Inc. All rights reserved. | ||
///--- Specific Errors | ||
@@ -122,7 +121,11 @@ | ||
var authzHeaderName = options.authorizationHeaderName || 'authorization'; | ||
var headers = request.headers; | ||
var authzHeaderName = options.authorizationHeaderName; | ||
var authz = headers[authzHeaderName] || headers[utils.HEADER.AUTH] || headers[utils.HEADER.SIG]; | ||
if (!request.headers[authzHeaderName]) { | ||
throw new MissingHeaderError('no ' + authzHeaderName + ' header ' + | ||
'present in the request'); | ||
if (!authz) { | ||
var errHeader = authzHeaderName ? authzHeaderName : utils.HEADER.AUTH + ' or ' + utils.HEADER.SIG; | ||
throw new MissingHeaderError('no ' + errHeader + ' header ' + | ||
'present in the request'); | ||
} | ||
@@ -134,3 +137,3 @@ | ||
var i = 0; | ||
var state = State.New; | ||
var state = authz === headers[utils.HEADER.SIG] ? State.Params : State.New; | ||
var substate = ParamsState.Name; | ||
@@ -141,3 +144,3 @@ var tmpName = ''; | ||
var parsed = { | ||
scheme: '', | ||
scheme: authz === headers[utils.HEADER.SIG] ? 'Signature' : '', | ||
params: {}, | ||
@@ -147,3 +150,2 @@ signingString: '' | ||
var authz = request.headers[authzHeaderName]; | ||
for (i = 0; i < authz.length; i++) { | ||
@@ -154,49 +156,54 @@ var c = authz.charAt(i); | ||
case State.New: | ||
if (c !== ' ') parsed.scheme += c; | ||
else state = State.Params; | ||
break; | ||
case State.New: | ||
if (c !== ' ') parsed.scheme += c; | ||
else state = State.Params; | ||
break; | ||
case State.Params: | ||
switch (Number(substate)) { | ||
case State.Params: | ||
switch (Number(substate)) { | ||
case ParamsState.Name: | ||
var code = c.charCodeAt(0); | ||
// restricted name of A-Z / a-z | ||
if ((code >= 0x41 && code <= 0x5a) || // A-Z | ||
(code >= 0x61 && code <= 0x7a)) { // a-z | ||
tmpName += c; | ||
} else if (c === '=') { | ||
if (tmpName.length === 0) | ||
throw new InvalidHeaderError('bad param format'); | ||
substate = ParamsState.Quote; | ||
} else { | ||
throw new InvalidHeaderError('bad param format'); | ||
} | ||
break; | ||
case ParamsState.Name: | ||
var code = c.charCodeAt(0); | ||
// restricted name of A-Z / a-z | ||
if ((code >= 0x41 && code <= 0x5a) || // A-Z | ||
(code >= 0x61 && code <= 0x7a)) { // a-z | ||
tmpName += c; | ||
} else if (c === '=') { | ||
if (tmpName.length === 0) | ||
throw new InvalidHeaderError('bad param format'); | ||
substate = ParamsState.Quote; | ||
} else { | ||
throw new InvalidHeaderError('bad param format'); | ||
} | ||
break; | ||
case ParamsState.Quote: | ||
if (c === '"') { | ||
tmpValue = ''; | ||
substate = ParamsState.Value; | ||
} else { | ||
throw new InvalidHeaderError('bad param format'); | ||
} | ||
break; | ||
case ParamsState.Quote: | ||
if (c === '"') { | ||
tmpValue = ''; | ||
substate = ParamsState.Value; | ||
} else { | ||
throw new InvalidHeaderError('bad param format'); | ||
} | ||
break; | ||
case ParamsState.Value: | ||
if (c === '"') { | ||
parsed.params[tmpName] = tmpValue; | ||
substate = ParamsState.Comma; | ||
} else { | ||
tmpValue += c; | ||
} | ||
break; | ||
case ParamsState.Value: | ||
if (c === '"') { | ||
parsed.params[tmpName] = tmpValue; | ||
substate = ParamsState.Comma; | ||
} else { | ||
tmpValue += c; | ||
} | ||
break; | ||
case ParamsState.Comma: | ||
if (c === ',') { | ||
tmpName = ''; | ||
substate = ParamsState.Name; | ||
} else { | ||
throw new InvalidHeaderError('bad param format'); | ||
case ParamsState.Comma: | ||
if (c === ',') { | ||
tmpName = ''; | ||
substate = ParamsState.Name; | ||
} else { | ||
throw new InvalidHeaderError('bad param format'); | ||
} | ||
break; | ||
default: | ||
throw new Error('Invalid substate'); | ||
} | ||
@@ -207,7 +214,2 @@ break; | ||
throw new Error('Invalid substate'); | ||
} | ||
break; | ||
default: | ||
throw new Error('Invalid substate'); | ||
} | ||
@@ -288,7 +290,7 @@ | ||
if (request.headers.date || request.headers['x-date']) { | ||
if (request.headers['x-date']) { | ||
date = new Date(request.headers['x-date']); | ||
} else { | ||
date = new Date(request.headers.date); | ||
} | ||
if (request.headers['x-date']) { | ||
date = new Date(request.headers['x-date']); | ||
} else { | ||
date = new Date(request.headers.date); | ||
} | ||
var now = new Date(); | ||
@@ -299,5 +301,5 @@ var skew = Math.abs(now.getTime() - date.getTime()); | ||
throw new ExpiredRequestError('clock skew of ' + | ||
(skew / 1000) + | ||
's was greater than ' + | ||
options.clockSkew + 's'); | ||
(skew / 1000) + | ||
's was greater than ' + | ||
options.clockSkew + 's'); | ||
} | ||
@@ -316,3 +318,3 @@ } | ||
throw new InvalidParamsError(parsed.params.algorithm + | ||
' is not a supported algorithm'); | ||
' is not a supported algorithm'); | ||
} | ||
@@ -319,0 +321,0 @@ |
@@ -5,3 +5,2 @@ // Copyright 2012 Joyent, Inc. All rights reserved. | ||
var crypto = require('crypto'); | ||
var http = require('http'); | ||
var util = require('util'); | ||
@@ -25,2 +24,4 @@ var sshpk = require('sshpk'); | ||
var SIGNATURE_FMT = 'keyId="%s",algorithm="%s",headers="%s",signature="%s"'; | ||
///--- Specific Errors | ||
@@ -394,7 +395,8 @@ | ||
request.setHeader(authzHeaderName, sprintf(AUTHZ_FMT, | ||
options.keyId, | ||
options.algorithm, | ||
options.headers.join(' '), | ||
signature)); | ||
var FMT = authzHeaderName.toLowerCase() === utils.HEADER.SIG ? SIGNATURE_FMT : AUTHZ_FMT; | ||
request.setHeader(authzHeaderName, sprintf(FMT, | ||
options.keyId, | ||
options.algorithm, | ||
options.headers.join(' '), | ||
signature)); | ||
@@ -401,0 +403,0 @@ return true; |
@@ -19,2 +19,7 @@ // Copyright 2012 Joyent, Inc. All rights reserved. | ||
var HEADER = { | ||
AUTH: 'authorization', | ||
SIG: 'signature' | ||
}; | ||
function HttpSignatureError(message, caller) { | ||
@@ -58,2 +63,3 @@ if (Error.captureStackTrace) | ||
module.exports = { | ||
HEADER, | ||
@@ -60,0 +66,0 @@ HASH_ALGOS: HASH_ALGOS, |
{ | ||
"name": "http-signature", | ||
"description": "Reference implementation of Joyent's HTTP Signature scheme.", | ||
"version": "1.2.0", | ||
"version": "1.3.0", | ||
"license": "MIT", | ||
@@ -33,3 +33,3 @@ "author": "Joyent, Inc", | ||
"jsprim": "^1.2.2", | ||
"sshpk": "^1.7.0" | ||
"sshpk": "^1.14.1" | ||
}, | ||
@@ -36,0 +36,0 @@ "devDependencies": { |
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
Network access
Supply chain riskThis module accesses the network.
Found 1 instance in 1 package
48683
799
11
Updatedsshpk@^1.14.1