Security News
PyPI Now Supports iOS and Android Wheels for Mobile Python Development
PyPI now supports iOS and Android wheels, making it easier for Python developers to distribute mobile packages.
By Sarah Gooding - Feb 12, 2025
New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
requests-http-message-signatures
Advanced tools
requests-http-message-signatures
A request authentication plugin implementing IETF HTTP Message Signatures
- 0.3.1
- PyPI
- Maintainers
- 1
requests-http-message-signatures: A Requests auth module for HTTP Signature
requests-http-message-signatures is a Requests
authentication plugin
(requests.auth.AuthBase subclass) implementing the
IETF HTTP Signatures draft RFC. It has no
required dependencies outside the standard library. If you wish to use algorithms other than HMAC (namely, RSA and
ECDSA algorithms specified in the RFC), there is an optional dependency on
cryptography.
Installation
$ pip install requests-http-message-signatures
Usage
import requests
from requests_http_signature import HTTPSignatureAuth
preshared_key_id = 'squirrel'
preshared_secret = 'monorail_cat'
url = 'http://example.com/path'
requests.get(url, auth=HTTPSignatureAuth(key=preshared_secret, key_id=preshared_key_id))
By default, only the Date header is signed (as per the RFC) for body-less requests such as GET. The Date header
is set if it is absent. In addition, for requests with bodies (such as POST), the Digest header is set to the SHA256
of the request body and signed (an example of this appears in the RFC). To add other headers to the signature, pass an
array of header names in the headers keyword argument.
In addition to signing messages in the client, the class method HTTPSignatureAuth.verify() can be used to verify
incoming requests:
def key_resolver(key_id, algorithm):
return 'monorail_cat'
HTTPSignatureAuth.verify(request, key_resolver=key_resolver)
Asymmetric key algorithms (RSA and ECDSA)
For asymmetric key algorithms, you should supply the private key as the key parameter to the HTTPSignatureAuth()
constructor as bytes in the PEM format:
with open('key.pem', 'rb') as fh:
requests.get(url, auth=HTTPSignatureAuth(algorithm="rsa-sha256", key=fh.read(), key_id=preshared_key_id))
When verifying, the key_resolver() callback should provide the public key as bytes in the PEM format as well.
Links
- IETF HTTP Signatures draft
- Project home page
- Package distribution (PyPI)
- Based on requests-http-signature
Bugs
Please report bugs, issues, feature requests, etc. on our issue tracker.
License
Licensed under the terms of the Apache License, Version 2.0.
FAQs
A request authentication plugin implementing IETF HTTP Message Signatures
We found that requests-http-message-signatures demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Create React App Officially Deprecated Amid React 19 Compatibility Issues
Create React App is officially deprecated due to React 19 issues and lack of maintenance—developers should switch to Vite or other modern alternatives.
By Sarah Gooding - Feb 11, 2025
Security News
Oracle Drags Its Feet in the JavaScript Trademark Dispute
Oracle seeks to dismiss fraud claims in the JavaScript trademark dispute, delaying the case and avoiding questions about its right to the name.
By Sarah Gooding - Feb 07, 2025