Git Product home page Git Product logo

http-hmac-javascript's Introduction

HTTP HMAC Signer for JavaScript

ES5 ES6 Build Status

HMAC Request Signer is a JavaScript library that implements the version 2.0 of the HTTP HMAC Spec to sign RESTful Web API requests and verify responses.

Please note the 1.0 Spec is not supported.

Development Prerequisites

Before further development, please ensure the following tools are installed on your computer.

You can use the following commands to check if you already have those tools:

git --version
node -v
npm -v

Files

  • demo/ - Visit get.html and post.html to see the demo in action.
  • lib/ - Library files.
    • es5/ - Transpiled ES5 version, polyfilled to IE 5.5.
    • es6/ - ES6 version.
  • src/ - Source files. Code changes should be made here.
    • demo/ - Demo files to show how the library can be used.
    • hmac.js - The source file of the library.

Build

  • Run npm install to install all dependencies.
  • Make code changes in src/ directory.
  • In root directory, run gulp build-demo. Alternatively, you can run gulp to keep gulp on watch to automatically compile/transpile all file changes.

Tests

  • Run npm install to install all dependencies.
  • In root directory, run gulp test to see the current test results. Alternatively, you can go to the qunit/hmac.html page in your browser.

Submitting PR

  • PR welcomed!
  • Please run gulp build-demo and submit along all resulting file updates.

http-hmac-javascript's People

Contributors

marc22alain avatar rystakei avatar sahilupadhyay avatar ynx avatar

Stargazers

avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

charuag markcharamut arvinsingla mccarthy rystakei neonishu kosala-almeda kenschwartz whiliang fucntion

http-hmac-javascript's Issues

Allow to use PATCH method

The SUPPORTED_METHODS array does not include the PATCH method and gives the following error when trying to sign a request that uses PATCH method:

The method must be "GET" or "POST" or "PUT" or "DELETE" or "HEAD" or "OPTIONS" or "CUSTOM". "PATCH" is not supported.

PATCH is widely used in JSON:API specification. Can you provide support for this method?

General comments on the code

https://github.com/acquia/http-hmac-javascript/blob/LEX-88/src/hmac.js#L19

Why is the nonce filled in here? A nonce is always randomly generated, so it's not really configurable. It's to make sure that the same request in the same second can still be uniquely identified.

https://github.com/acquia/http-hmac-javascript/blob/LEX-88/src/hmac.js#L22
Default content type? Why is this necessary? This has nothing to do with the signing library. The implementation should set this for each request, not as a global config. And the library should actually take this from the headers, not from the config.

https://github.com/acquia/http-hmac-javascript/blob/LEX-88/src/hmac.js#L17
client_id is not the right word here, it's plain id or public_key. Client id is application specific. The application implementing this library can choose to add a client_id query param but that's completely up to the implementation.

https://github.com/acquia/http-hmac-javascript/blob/LEX-88/src/hmac.js#L30
Any reason why we would support CUSTOM? Also, all methods should be supported. There is nothing in the specification that limits any HTTP Verb. The only difference is if there is a body to be submitted or not.

https://github.com/acquia/http-hmac-javascript/blob/LEX-88/src/hmac.js#L116
additional headers should only be added to the signature when they exist.

https://github.com/acquia/http-hmac-javascript/blob/LEX-88/src/hmac.js#L118
content_type should only be added when there is a body in the request

https://github.com/acquia/http-hmac-javascript/blob/LEX-88/src/hmac.js#L119
x_authorization_content_sha256 when there is a body in the request

https://github.com/acquia/http-hmac-javascript/blob/LEX-88/src/hmac.js#L123
signed headers should not be added to the authorization string when they do not exist.

https://github.com/acquia/http-hmac-javascript/blob/LEX-88/src/hmac.js#L106
We do not care about the method here. Only the body length. This way someone can't fool the algorithm by sending a GET with a body. It should not happen, but we should also not expect it won't happen.

https://github.com/acquia/http-hmac-javascript/blob/LEX-88/src/hmac.js#L107
The secret key needs to be decoded from base64 encoding first before using it.

https://github.com/acquia/http-hmac-javascript/blob/LEX-88/src/hmac.js#L146
The secret key needs to be decoded from base64 encoding first before using it.

https://github.com/acquia/http-hmac-javascript/blob/LEX-88/src/hmac.js#L111
method has to be uppercase, I don't see you checking this.

https://github.com/acquia/http-hmac-javascript/blob/LEX-88/src/hmac.js#L112
hostname needs to be lowercase

https://github.com/acquia/http-hmac-javascript/blob/LEX-88/src/hmac.js#L115
I don't see it being urlencoded. Most likely that doesn't matter much but it is in the specification.

That's it for now. Keep me updated on the changes! Ping @ynx and @lkhaas
I think that's it for now :)

Encoding check seems invalid

The check for encoding added in version 2.0 appears to be invalid
https://github.com/acquia/http-hmac-javascript/blob/master/src/hmac.js#L268

Any encoded variables end up double-encoded
For example: passing in:
http://localhost:5050/rules?account_id=D8DEMO&site_id=DFSITEDEV&status=-archived&visible_on_page=http%3A%2F%2Flocalhost%3A4200%2Ftests%3Fmodule%3DAcceptance%2520%257C%2520authentication&sort=asc&sort_field=weight

Produces the following when run through encodeURI(decodeURI(path))
Note that the % is being encoded in the visible_on_page parameter.
http://localhost:5050/rules?account_id=D8DEMO&site_id=DFSITEDEV&status=-archived&visible_on_page=http%253A%252F%252Flocalhost%253A4200%252Ftests%253Fmodule%253DAcceptance%2520%257C%2520authentication&sort=asc&sort_field=weight

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.