Project

ey_api_hmac

0.02
No commit activity in last 3 years
No release in over 3 years
ey_api_hmacengineyard/ey_api_hmacDocumentationSource CodeBug TrackerWiki
basic wrapper for rack-client + middlewares for HMAC auth + helpers for SSO auth
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
343,785
Stars
3
Forks
6
Watchers
114
 Releases
Current version
0.4.12
Total releases
37
First release
2011-08-15
Latest release
2014-05-16
 Issues
Open Issues
0
Closed Issues
1
Total Issues
1
Issue Closure Rate
100%
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
2
Merged Pull Requests
1
Pull Request Acceptance Rate
33%
 Development
Primary Language
Ruby
Average date of last 50 commits
2012-05-25
Reverse Dependencies
3

 Dependencies

Development

rspec
>= 0

Runtime

json
>= 0
rack-client
>= 0
rack-idempotent
>= 0.0.3
 Project Readme

Engine Yard HMAC api implementation

HMAC basic implementation for Engine Yard services.

Releasing

This gem is released to https://rubygems.org

How to use it

Server Rack middleware:

  use EY::ApiHMAC::ApiAuth::Server, Consumer

Where Consumer is a class that responds to find_by_auth_id(auth_id), and returns an object that responds to id and auth_key.

  use EY::ApiHMAC::ApiAuth::LookupServer do |env, auth_id|
    #return the appropriate auth_key here
  end

this will validate the Authorization header for all requests and raise on failures

Rack-Client middleware:

  client = Rack::Client.new do
    use Rack::Config do |env|
      env['HTTP_DATE'] = Time.now.httpdate
    end
    use EY::ApiHMAC::ApiAuth::Client, auth_id_arg, auth_key_arg
    run Rack::Client::Handler::NetHTTP
  end

this will add the correct Authorization header to all requests made with this rack-client.

Imlementation details:

before signed:

{"REQUEST_URI"=>"http://example.com/api/1/service_accounts/1324/messages", "PATH_INFO"=>"/api/1/service_accounts/1324/messages", "CONTENT_TYPE"=>"application/json", "HTTP_ACCEPT"=>"application/json", "REQUEST_METHOD"=>"POST", "HTTP_DATE"=>"Thu, 15 Dec 2011 23:50:33 GMT", "rack.input"=>#<StringIO:0x007fd9239f6998>}

request body:

{"message":{"message_type":"status","subject":"Everything looks good.","body":null}}

auth_id:

123bc211233eabc

auth_key:

abc474e3fc9bddf6d41236b70cc5a952f3681166e1239214740d13eecd12318f7b8d27123b61eabc

canonical_string:

"POST\napplication/json\ne8fa80541e3726e2cf4c71d07a7bd9fd\nThu, 15 Dec 2011 23:50:33 GMT\n/api/1/service_accounts/1324/messages"

signature:

UZDkXszu4dp6Gz2TEGcy/cVt0R0=

now signed:

{"REQUEST_URI"=>"http://example.com/api/1/service_accounts/1324/messages", "PATH_INFO"=>"/api/1/service_accounts/1324/messages", "CONTENT_TYPE"=>"application/json", "HTTP_ACCEPT"=>"application/json", "REQUEST_METHOD"=>"POST", "HTTP_DATE"=>"Thu, 15 Dec 2011 23:50:33 GMT", "rack.input"=>#<StringIO:0x007fd9239f6998>, "HTTP_AUTHORIZATION"=>"AuthHMAC 123bc211233eabc:UZDkXszu4dp6Gz2TEGcy/cVt0R0="}

Requests with empty request body.

In prior versions (0.1.x), we expected the MD5 hash of an empty string (d41d8cd98f00b204e9800998ecf8427e) to be used in the canonical string when the HTTP request had no body. In the latest version (0.4.x), we expect an empty string to used instead. We've made the "server" component of ey_api_hmac verify and accept both styles of canonical string, however there is no backwards-compatible solution for the client, so we always use empty string when the content body is empty.

This change was made to be compatible with the other HMAC already in use internally at Engine Yard: http://rubygems.org/gems/auth-hmac.