Company News
Connect with Socket at RSA and BSidesSF 2024
Come meet the Socket team at BSidesSF and RSA! We're sponsoring several fun networking events and we would love to see you there.
By Sarah Gooding - Apr 15, 2024
http-signature
Advanced tools
- Version published
- Maintainers
- 12
- Weekly downloads
- 18,690,670
- decreased by-1.73%
- Install size
- 837 kB
Weekly downloads
Package description
What is http-signature?
The http-signature npm package is used to create and verify HTTP request signatures. It is based on the Joyent HTTP Signature Scheme and allows for signing HTTP messages for authentication and message integrity. This package is commonly used in APIs and web services to ensure that HTTP requests are made by authenticated users and have not been tampered with in transit.
What are http-signature's main functionalities?
Signing HTTP Requests
This feature allows you to sign an HTTP request using a private key. The resulting signature is added to the request's headers, which can then be verified by the server to authenticate the request.
const httpSignature = require('http-signature');
const fs = require('fs');
const privateKey = fs.readFileSync('private.pem', 'ascii');
const requestOptions = {
method: 'GET',
path: '/foo',
headers: {}
};
httpSignature.sign(requestOptions, {
key: privateKey,
keyId: 'myKeyId'
});
console.log(requestOptions.headers);Verifying HTTP Requests
This feature allows you to verify the signature of an incoming HTTP request using a public key. If the signature is valid, it means the request was signed by the holder of the corresponding private key and has not been altered.
const httpSignature = require('http-signature');
const fs = require('fs');
const publicKey = fs.readFileSync('public.pem', 'ascii');
const request = {
method: 'GET',
url: '/foo',
headers: {
// headers should include the 'authorization' header with the signature
}
};
const isValid = httpSignature.verifySignature(request, publicKey);
console.log(isValid);Other packages similar to http-signature
jsonwebtoken
jsonwebtoken (or JWT) is a package that allows you to encode and decode JSON Web Tokens, which are a compact, URL-safe means of representing claims to be transferred between two parties. JWTs can also be signed like http-signature but are typically used for authorization tokens and information exchange, rather than signing HTTP requests.
oauth-1.0a
oauth-1.0a is a package that implements OAuth 1.0a, which is a protocol for authorization. It allows users to approve application to act on their behalf without sharing their password. It includes signing HTTP requests but is part of a broader authorization framework, unlike http-signature which focuses solely on signing and verifying HTTP messages.
passport-http
passport-http is a strategy for Passport, an authentication middleware for Node.js. It implements HTTP Basic and Digest authentication for Node.js applications but does not provide the same message signing capabilities as http-signature. Instead, it focuses on validating user credentials provided through HTTP headers.
Readme
node-http-signature
node-http-signature is a node.js library that has client and server components for Joyent's HTTP Signature Scheme.
Usage
Note the example below signs a request with the same key/cert used to start an HTTP server. This is almost certainly not what you actually want, but is just used to illustrate the API calls; you will need to provide your own key management in addition to this library.
Client
var fs = require('fs');
var https = require('https');
var httpSignature = require('http-signature');
var key = fs.readFileSync('./key.pem', 'ascii');
var options = {
host: 'localhost',
port: 8443,
path: '/',
method: 'GET',
headers: {}
};
// Adds a 'Date' header in, signs it, and adds the
// 'Authorization' header in.
var req = https.request(options, function(res) {
console.log(res.statusCode);
});
httpSignature.sign(req, {
key: key,
keyId: './cert.pem',
keyPassphrase: 'secret' // (optional)
});
req.end();
Server
var fs = require('fs');
var https = require('https');
var httpSignature = require('http-signature');
var options = {
key: fs.readFileSync('./key.pem'),
cert: fs.readFileSync('./cert.pem')
};
https.createServer(options, function (req, res) {
var rc = 200;
var parsed = httpSignature.parseRequest(req);
var pub = fs.readFileSync(parsed.keyId, 'ascii');
if (!httpSignature.verifySignature(parsed, pub))
rc = 401;
res.writeHead(rc);
res.end();
}).listen(8443);
Installation
npm install http-signature
License
MIT.
Bugs
FAQs
Reference implementation of Joyent's HTTP Signature scheme.
The npm package http-signature receives a total of 15,220,687 weekly downloads. As such, http-signature popularity was classified as popular.
We found that http-signature demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 8 open source maintainers collaborating on the project.
Last updated on 17 Nov 2021
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
OSI to Lead Discussions on Navigating the Challenges of Doing Business with Open Source
OSI is starting a conversation aimed at removing the excuse of the SaaS loophole for companies navigating licensing and the complexities of doing business with open source.
By Sarah Gooding - Apr 12, 2024
Product
Introducing Dependency Visualization: An Interactive Way to See Dependencies at a Glance
We're introducing dependency visualization for reports - get a quick impression of the state of your dependencies without getting lost in the details.
By Eli Insua - Apr 11, 2024