Giter VIP home page Giter VIP logo

apiauth's Introduction

apiauth Build Status GoDoc

ApiAuth-compatible package for signing and verifying HTTP requests in golang.

IMPORTANT!: Security Update

In order to prevent a security vulnerability present in the reference version of ApiAuth we have added functions in order to sign and verify requests with a canonical string that includes the HTTP method. We have added the fucntions SignWithMethod and CanonicalStringWithMethod, and the Verify function has been modified to accept requests where the request signature matches CanonicalString OR CanonicalStringWithMethod. In the future the old versions will be removed and canonical strings will only be considered a match if they include the request method. We recommend you start using the new way of siging requests immediately.

Usage

Signing a request:

import "github.com/pd/apiauth"

req, _ := http.NewRequest("GET", "http://example.com", nil)

// The `Date` header _must_ be present.
// If the request body is set, `Content-Type` and `Content-MD5` must
// also be present.
req.Header.Set("Date", apiauth.Date())

err := apiauth.Sign(req, "access_id", "secret_key")

Verifying a request:

err := apiauth.Verify(req, "secret_key")
if err != nil {
  // Failed.
}

Functions are exposed for the lower-level operations, as well, in case you need more granular control:

// Given a request, returns the `<Content-Type>,<MD5>,<URI>,<Date>` string used for the HMAC.
str := apiauth.CanonicalString(req)

// Given a canonical string and secret key, computes the signature using HMAC-SHA1:
signature := apiauth.Compute(str, "secret_key")

// A helper for generating a RFC1123-formatted date using the current time:
apiauth.Date()

// Or a given time:
t := time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)
apiauth.DateForTime(t)

Caveats

This implementation is intentionally somewhat less "friendly" than mgomes' Ruby implementation:

  • Only the Authorization header is set for you by apiauth.Sign; setting the Date, Content-Type and Content-MD5 headers is the caller's responsibility.
  • The apiauth.Verify function does not enforce a maximum time duration between the Date header in a request and the matching Date value computed by the server. Protection against replay attacks is the caller's responsibility. (NB: but maybe shouldn't be; I'm just being lazy right now, as it's already handled in the application I'm writing this for)
  • The apiauth.Verify function does not validate the Content-MD5 header: doing so would require reading the entire request body into memory at least once, which is undesirable in many use cases. Verification of the payload MD5 is the caller's responsibility.

apiauth's People

Contributors

packrat386 avatar pd avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

packrat386 mlarraz mattmoore kelmerp carlosrocha

apiauth's Issues

Cross compile error

When cross compiling to windows, I get the following error :

2016/10/27 10:31:21 apiauth: Can not load timezone Etc/GMT: open /usr/local/go\lib\time\zoneinfo.zip: The system cannot find the path specified.

With the full panic stack trace below :

panic: apiauth: Can not load timezone Etc/GMT: open /usr/local/go\lib\time\zoneinfo.zip: The system cannot find the path specified.

goroutine 1 [running]:
panic(0x826ee0, 0xc042116ec0)
        /usr/local/go/src/runtime/panic.go:500 +0x1af
log.Panic(0xc042099ec8, 0x2, 0x2)
        /usr/local/go/src/log/log.go:320 +0xd0
vendor/github.com/pd/apiauth.init.1()
        /<PROJECT_DIR>/src/vendor/github.com/pd/apiauth/apiauth.go:19 +0x15f
vendor/github.com/pd/apiauth.init()
        /<PROJECT_DIR>/src/vendor/github.com/pd/apiauth/apiauth.go:189 +0x5d
main.init()
        /<PROJECT_DIR>/<API_AUTH_CREATION

I've removed the bits concerning my own code : It does nothing fancy, just import github.com/pd/apiauth. The panic doesn't seem to happen in a function call, it's on module loading.

Can't test yet if it's just a cross-compile error or if it happens on every windows build.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.