Initial commit

Anthony Bouch · Anthony Bouch · commit 9f818bfa31e7 · 2014-08-23T01:43:14.000+07:00
A hapi-auth-signature authentication scheme plugin (based on the layout
and docs for the hapi-auth-basic plugin).
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,20 @@
+.idea
+*.iml
+npm-debug.log
+dump.rdb
+node_modules
+results.tap
+results.xml
+npm-shrinkwrap.json
+config.json
+.DS_Store
+*/.DS_Store
+*/*/.DS_Store
+._*
+*/._*
+*/*/._*
+coverage.*
+lib-cov
+*.swp
+*.swo
+*.swn
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,24 @@
+Copyright (c) 2014, Anthony Bouch
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * The names of any contributors may not be used to endorse or promote
+      products derived from this software without specific prior written
+      permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS AND CONTRIBUTORS BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/README.md b/README.md
@@ -0,0 +1,67 @@
+### hapi-auth-signature
+
+Signature authentication scheme that wraps the [Joyent Signature Authentication Scheme](https://github.com/joyent/node-http-signature) and requires validating signed authorization header.
+
+- `validateFunc` - (required) an api key id and secret key lookup validation function with the signature `function(keyId, callback)` where:
+    - `parsedHeader` - [http-signature](https://github.com/joyent/node-http-signature) parsed header including the key id and signature.
+    - `callback` - a callback function with the signature `function(err, isValid, credentials)` where:
+        - `err` - an internal error.
+        - `isValid` - `true` if the signature is verified, otherwise `false`.
+        - `credentials` - a credentials object passed back to the application in `request.auth.credentials`. Typically, `credentials` are only
+          included when `isValid` is `true`, but there are cases when the application needs to know who tried to authenticate even when it fails
+          (e.g. with authentication mode `'try'`).
+
+The validation function shown below is based on an hmac scheme with a key identifier and secret key stored in a user record. [http-signature](https://github.com/joyent/node-http-signature) supports the following algorithms:
+
+* rsa-sha1
+* rsa-sha256
+* rsa-sha512
+* dsa-sha1
+* hmac-sha1
+* hmac-sha256
+* hmac-sha512
+
+
+```javascript
+
+var HttpSignature = require('http-signature');
+
+var users = [
+    {
+        id: '1,
+        username: 'john',
+        apikeyid: '18KF2FGK6807ZQA945R2',
+        secretkey: '46573e78ce9df4f2d9ae93afd5f5c281', // 'secret'
+    }
+];
+
+var validate = function (parsedHeader, callback) {
+
+    var keyId = parsedHeader.keyId;
+    var credentials {};
+    var secretKey;
+    users.forEach(function(user, index) {
+        if (user.apikeyid === keyId) {
+            secretKey = user.secretkey;
+            credentials = {id: user.id, username: user.username};
+        }
+    }
+
+    if (!secretKey) {
+        return callback(null, false);
+    }
+
+    if(HttpSignature.verifySignature(parsedHeader, user.secretkey)) {
+        callback(null, true, credentials);
+    } else {
+        callback(null, false);
+    };
+};
+
+server.pack.register(require('hapi-auth-signature'), function (err) {
+
+    server.auth.strategy('hmac', 'signature', { validateFunc: validate });
+    server.route({ method: 'GET', path: '/', config: { auth: 'hmac' } });
+});
+
+```
diff --git a/index.js b/index.js
@@ -0,0 +1 @@
+module.exports = require('./lib');
diff --git a/lib/index.js b/lib/index.js
@@ -0,0 +1,70 @@
+// Load modules
+
+var Boom = require('boom');
+var Hoek = require('hoek');
+var HttpSignature = require('http-signature');
+
+
+// Declare internals
+
+var internals = {};
+
+
+exports.register = function (plugin, options, next) {
+
+  plugin.auth.scheme('signature', internals.implementation);
+  next();
+};
+
+exports.register.attributes = {
+  pkg: require('../package.json')
+};
+
+
+internals.implementation = function (server, options) {
+
+  Hoek.assert(options, 'Missing signature auth strategy options');
+  Hoek.assert(typeof options.validateFunc === 'function', 'options.validateFunc must be a valid function in signature scheme');
+
+  var settings = Hoek.clone(options);
+
+  var scheme = {
+    authenticate: function (request, reply) {
+
+      var req = request.raw.req;
+      if (!req.headers.authorization) {
+        return reply(Boom.unauthorized(null, 'Signature'));
+      }
+
+      var parsed = HttpSignature.parseRequest(req);
+      if (!parsed) {
+        return reply(Boom.unauthorized('HTTP authentication header missing signature', 'Signature'));
+      }
+
+      settings.validateFunc(parsed, function (err, isValid, credentials) {
+
+        credentials = credentials || null;
+
+        if (err) {
+          return reply(err, { credentials: credentials, log: { tags: ['auth', 'signature'], data: err } });
+        }
+
+        if (!isValid) {
+          return reply(Boom.unauthorized('Bad signature', 'Signature'), { credentials: credentials });
+        }
+
+        if (!credentials ||
+            typeof credentials !== 'object') {
+
+          return reply(Boom.badImplementation('Bad credentials object received for Signature auth validation'), { log: { tags: ['auth', 'credentials'] } });
+        }
+
+        // Authenticated
+
+        return reply(null, { credentials: credentials });
+      });
+    }
+  };
+
+  return scheme;
+};
diff --git a/package.json b/package.json
@@ -0,0 +1,38 @@
+{
+  "name": "hapi-auth-signature",
+  "description": "Signature authentication plugin that wraps https://github.com/joyent/node-http-signature",
+  "version": "1.0.0",
+  "author": "Anthony Bouch <tony@58bits.com> (http://www.58bits.com)",
+  "repository": "git://github.com/58bits/hapi-auth-signature",
+  "main": "index",
+  "keywords": [
+    "hapi",
+    "plugin",
+    "auth",
+    "signature"
+  ],
+  "engines": {
+    "node": ">=0.10.30"
+  },
+  "dependencies": {
+    "boom": "2.x.x",
+    "hoek": "2.x.x",
+    "http-signature": "^0.10.0"
+  },
+  "peerDependencies": {
+    "hapi": ">=2.x.x"
+  },
+  "devDependencies": {
+    "hapi": "6.x.x",
+    "lab": "3.x.x"
+  },
+  "scripts": {
+    "test": "make test-cov"
+  },
+  "licenses": [
+    {
+      "type": "BSD",
+      "url": "http://github.com/58bits/hapi-auth-signature/raw/master/LICENSE"
+    }
+  ]
+}
