api-auth 1.3.2 → 1.4.0

data/lib/api_auth/headers.rb

@@ -52,10 +52,28 @@ module ApiAuth
     end
 
     # Returns the canonical string computed from the request's headers
-    def canonical_string
+    def canonical_string_without_http_method
       [ @request.content_type,
         @request.content_md5,
-        parse_uri(@request.request_uri), 
+        parse_uri(@request.request_uri),
+        @request.timestamp
+      ].join(",")
+    end
+
+    # temp backwards compatibility
+    alias_method :canonical_string, :canonical_string_without_http_method
+
+    def canonical_string_with_http_method(override_method = nil)
+      request_method = override_method || @request.http_method
+
+      if request_method.nil?
+        raise ArgumentError, "unable to determine the http method from the request, please supply an override"
+      end
+
+      [ request_method.upcase,
+        @request.content_type,
+        @request.content_md5,
+        parse_uri(@request.request_uri),
         @request.timestamp
       ].join(",")
     end
@@ -92,8 +110,10 @@ module ApiAuth
 
     private
 
+    URI_WITHOUT_HOST_REGEXP = %r{https?://[^,?/]*}
+
     def parse_uri(uri)
-      uri_without_host = uri.gsub(/https?:\/\/[^(,|\?|\/)]*/, '')
+      uri_without_host = uri.gsub(URI_WITHOUT_HOST_REGEXP, '')
       return '/' if uri_without_host.empty?
       uri_without_host
     end

data/lib/api_auth/request_drivers/action_controller.rb

@@ -41,6 +41,10 @@ module ApiAuth
         capitalize_keys @request.env
       end
 
+      def http_method
+        @request.request_method.to_s.upcase
+      end
+
       def content_type
         value = find_header(%w(CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE))
         value.nil? ? "" : value

data/lib/api_auth/request_drivers/curb.rb

@@ -30,6 +30,10 @@ module ApiAuth
         capitalize_keys @request.headers
       end
 
+      def http_method
+        nil # not possible to get the method at this layer
+      end
+
       def content_type
         value = find_header(%w(CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE))
         value.nil? ? "" : value

data/lib/api_auth/request_drivers/faraday.rb

@@ -45,6 +45,10 @@ module ApiAuth
         capitalize_keys @request.headers
       end
 
+      def http_method
+        @request.method.to_s.upcase
+      end
+
       def content_type
         value = find_header(%w(CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE))
         value.nil? ? "" : value

data/lib/api_auth/request_drivers/httpi.rb

@@ -40,6 +40,10 @@ module ApiAuth
         capitalize_keys @request.headers
       end
 
+      def http_method
+        nil # not possible to get the method at this layer
+      end
+
       def content_type
         value = find_header(%w(CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE))
         value.nil? ? "" : value
@@ -77,4 +81,4 @@ module ApiAuth
 
   end
 
-end
+end

data/lib/api_auth/request_drivers/net_http.rb

@@ -47,6 +47,10 @@ module ApiAuth
         @request
       end
 
+      def http_method
+        @request.method.upcase
+      end
+
       def content_type
         value = find_header(%w(CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE))
         value.nil? ? "" : value

data/lib/api_auth/request_drivers/rack.rb

@@ -46,6 +46,10 @@ module ApiAuth
         capitalize_keys @request.env
       end
 
+      def http_method
+        @request.request_method.upcase
+      end
+
       def content_type
         value = find_header(%w(CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE))
         value.nil? ? "" : value
@@ -57,7 +61,7 @@ module ApiAuth
       end
 
       def request_uri
-        @request.url
+        @request.fullpath
       end
 
       def set_date

data/lib/api_auth/request_drivers/rest_client.rb

@@ -50,6 +50,10 @@ module ApiAuth
         capitalize_keys @request.processed_headers
       end
 
+      def http_method
+        @request.method.to_s.upcase
+      end
+
       def content_type
         value = find_header(%w(CONTENT-TYPE CONTENT_TYPE HTTP_CONTENT_TYPE))
         value.nil? ? "": value

data/spec/api_auth_spec.rb

@@ -10,678 +10,162 @@ describe "ApiAuth" do
     end
 
     it "should generate secret keys that are 88 characters" do
-      ApiAuth.generate_secret_key.size.should be(88)
+      expect(ApiAuth.generate_secret_key.size).to be(88)
     end
 
     it "should generate keys that have a Hamming Distance of at least 65" do
       key1 = ApiAuth.generate_secret_key
       key2 = ApiAuth.generate_secret_key
-      Amatch::Hamming.new(key1).match(key2).should be > 65
+      expect(Amatch::Hamming.new(key1).match(key2)).to be > 65
     end
 
   end
 
-  describe "signing requests" do
+  def hmac(secret_key, request, canonical_string = nil)
+    canonical_string ||= ApiAuth::Headers.new(request).canonical_string
+    digest = OpenSSL::Digest.new('sha1')
+    ApiAuth.b64_encode(OpenSSL::HMAC.digest(digest, secret_key, canonical_string))
+  end
 
-    def hmac(secret_key, request)
-      canonical_string = ApiAuth::Headers.new(request).canonical_string
-      digest = OpenSSL::Digest.new('sha1')
-      ApiAuth.b64_encode(OpenSSL::HMAC.digest(digest, secret_key, canonical_string))
-    end
+  describe ".sign!" do
+    let(:request){ RestClient::Request.new(:url => "http://google.com", :method => :get) }
+    let(:headers){ ApiAuth::Headers.new(request) }
 
-    before(:all) do
-      @access_id = "1044"
-      @secret_key = ApiAuth.generate_secret_key
-    end
+    it "generates date header before signing" do
+      expect(ApiAuth::Headers).to receive(:new).and_return(headers)
 
-    describe "with Net::HTTP" do
-
-      before(:each) do
-        @request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
-          'content-type' => 'text/plain',
-          'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
-          'date' => Time.now.utc.httpdate)
-        @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-      end
+      expect(headers).to receive(:set_date).ordered
+      expect(headers).to receive(:sign_header).ordered
 
-      it "should return a Net::HTTP object after signing it" do
-        ApiAuth.sign!(@request, @access_id, @secret_key).class.to_s.should match("Net::HTTP")
-      end
+      ApiAuth.sign!(request, "abc", "123")
+    end
 
-      describe "md5 header" do
-        context "not already provided" do
-          it "should calculate for empty string" do
-            request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
-              'content-type' => 'text/plain',
-              'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
-            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request['Content-MD5'].should == "1B2M2Y8AsgTpgAmY7PhCfg=="
-          end
-
-          it "should calculate for real content" do
-            request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
-              'content-type' => 'text/plain',
-              'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
-            request.body = "hello\nworld"
-            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request['Content-MD5'].should == "kZXQvrKoieG+Be1rsZVINw=="
-          end
-
-          it "should calculate for real multipart content" do
-            request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
-              'content-type' => 'text/plain',
-              'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
-            request.body_stream = File.new('spec/fixtures/upload.png')
-            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request['Content-MD5'].should == "k4U8MTA3RHDcewBzymVNEQ=="
-          end
-        end
-
-        it "should leave the content-md5 alone if provided" do
-          @signed_request['Content-MD5'].should == '1B2M2Y8AsgTpgAmY7PhCfg=='
-        end
-      end
+    it "generates content-md5 header before signing" do
+      expect(ApiAuth::Headers).to receive(:new).and_return(headers)
+      expect(headers).to receive(:calculate_md5).ordered
+      expect(headers).to receive(:sign_header).ordered
 
-      it "should sign the request" do
-        @signed_request['Authorization'].should == "APIAuth 1044:#{hmac(@secret_key, @request)}"
-      end
+      ApiAuth.sign!(request, "abc", "123")
+    end
 
-      it "should authenticate a valid request" do
-        ApiAuth.authentic?(@signed_request, @secret_key).should be_true
-      end
+    it "returns the same request object back" do
+      expect(ApiAuth.sign!(request, "abc", "123")).to be request
+    end
 
-      it "should NOT authenticate a non-valid request" do
-        ApiAuth.authentic?(@signed_request, @secret_key+'j').should be_false
-      end
+    it "calculates the hmac_signature as expected" do
+      ApiAuth.sign!(request, "1044", "123")
+      signature = hmac("123", request)
+      expect(request.headers['Authorization']).to eq("APIAuth 1044:#{signature}")
+    end
 
-      it "should NOT authenticate a mismatched content-md5 when body has changed" do
-        request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+    context "when passed the with_http_method option" do
+      let(:request){
+        Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
           'content-type' => 'text/plain',
-          'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
-        request.body = "hello\nworld"
-        signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-        signed_request.body = "goodbye"
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
-
-      it "should NOT authenticate an expired request" do
-        @request['Date'] = 16.minutes.ago.utc.httpdate
-        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
+          'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+          'date' => Time.now.utc.httpdate
+        )
+      }
 
-      it "should NOT authenticate a request with an invalid date" do
-        @request['Date'] = "٢٠١٤-٠٩-٠٨ ١٦:٣١:١٤ +٠٣٠٠"
-        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
+      let(:canonical_string){ ApiAuth::Headers.new(request).canonical_string_with_http_method }
 
-      it "should retrieve the access_id" do
-        ApiAuth.access_id(@signed_request).should == "1044"
+      it "calculates the hmac_signature with http method" do
+        ApiAuth.sign!(request, "1044", "123", { :with_http_method => true })
+        signature = hmac("123", request, canonical_string)
+        expect(request['Authorization']).to eq("APIAuth 1044:#{signature}")
       end
-
     end
+  end
 
-    describe "with RestClient" do
-
-      before(:each) do
-        headers = { 'Content-MD5' => "1B2M2Y8AsgTpgAmY7PhCfg==",
-                    'Content-Type' => "text/plain",
-                    'Date' => Time.now.utc.httpdate }
-        @request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
-          :headers => headers,
-          :method => :put)
-        @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-      end
-
-      it "should return a RestClient object after signing it" do
-        ApiAuth.sign!(@request, @access_id, @secret_key).class.to_s.should match("RestClient")
-      end
-
-      describe "md5 header" do
-        context "not already provided" do
-          it "should calculate for empty string" do
-            headers = { 'Content-Type' => "text/plain",
-                        'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
-            request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
-              :headers => headers,
-              :method => :put)
-            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request.headers['Content-MD5'].should == "1B2M2Y8AsgTpgAmY7PhCfg=="
-          end
-
-          it "should calculate for real content" do
-            headers = { 'Content-Type' => "text/plain",
-                        'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
-            request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
-              :headers => headers,
-              :method => :put,
-              :payload => "hellow\nworld")
-            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request.headers['Content-MD5'].should == "G0grublI06013h58g9j8Vw=="
-          end
-        end
-
-        it "should leave the content-md5 alone if provided" do
-          @signed_request.headers['Content-MD5'].should == "1B2M2Y8AsgTpgAmY7PhCfg=="
-        end
-      end
-
-      it "should sign the request" do
-        @signed_request.headers['Authorization'].should == "APIAuth 1044:#{hmac(@secret_key, @request)}"
-      end
-
-      it "should sign the request using the generated md5 header" do
-        date = Time.now.utc.httpdate
-        headers1 = { 'Content-MD5' => "1B2M2Y8AsgTpgAmY7PhCfg==",
-                     'Content-Type' => "text/plain",
-                     'Date' => date }
-        request1 = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
-                                           :headers => headers1,
-                                           :method => :put)
-        headers2 = { 'Content-Type' => "text/plain",
-                     'Date' => date }
-        request2 = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
-                                           :headers => headers2,
-                                           :method => :put)
-
-        ApiAuth.sign!(request1, @access_id, @secret_key)
-        ApiAuth.sign!(request2, @access_id, @secret_key)
-
-        request2.headers['Authorization'].should == request1.headers['Authorization']
-      end
-
-      it "should sign the request using the generated Date header" do
-        headers1 = { 'Content-MD5' => "1B2M2Y8AsgTpgAmY7PhCfg==",
-                     'Content-Type' => "text/plain"}
-        request1 = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
-                                           :headers => headers1,
-                                           :method => :put)
-        ApiAuth.sign!(request1, @access_id, @secret_key)
-        headers2 = { 'Content-MD5' => "1B2M2Y8AsgTpgAmY7PhCfg==",
-                     'Content-Type' => "text/plain",
-                     'Date' => request1.headers['DATE'] }
-        request2 = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
-                                           :headers => headers2,
-                                           :method => :put)
-
-        ApiAuth.sign!(request2, @access_id, @secret_key)
-
-        request2.headers['Authorization'].should == request1.headers['Authorization']
-      end
-
-      it "should authenticate a valid request" do
-        ApiAuth.authentic?(@signed_request, @secret_key).should be_true
-      end
-
-      it "should NOT authenticate a non-valid request" do
-        ApiAuth.authentic?(@signed_request, @secret_key+'j').should be_false
-      end
-
-      it "should NOT authenticate a mismatched content-md5 when body has changed" do
-        headers = { 'Content-Type' => "text/plain",
-                    'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
-        request = RestClient::Request.new(:url => "/resource.xml?foo=bar&bar=foo",
-          :headers => headers,
-          :method => :put,
-          :payload => "hello\nworld")
-        signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-        signed_request.instance_variable_set("@payload", RestClient::Payload.generate('goodbye'))
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
-
-      it "should NOT authenticate an expired request" do
-        @request.headers['Date'] = 16.minutes.ago.utc.httpdate
-        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
-
-      it "should NOT authenticate a request with an invalid date" do
-        @request.headers['Date'] = "٢٠١٤-٠٩-٠٨ ١٦:٣١:١٤ +٠٣٠٠"
-        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
-
-      it "should retrieve the access_id" do
-        ApiAuth.access_id(@signed_request).should == "1044"
-      end
-
+  describe ".authentic?" do
+    let(:request){
+      new_request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+        'content-type' => 'text/plain',
+        'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+        'date' => Time.now.utc.httpdate
+      )
+
+      signature = hmac("123", new_request)
+      new_request["Authorization"] = "APIAuth 1044:#{signature}"
+      new_request
+    }
+
+    it "validates that the signature in the request header matches the way we sign it" do
+      expect(ApiAuth.authentic?(request, "123")).to eq true
     end
 
-    describe "with Curb" do
-
-      before(:each) do
-        headers = { 'Content-MD5' => "e59ff97941044f85df5297e1c302d260",
-                    'Content-Type' => "text/plain",
-                    'Date' => Time.now.utc.httpdate }
-        @request = Curl::Easy.new("/resource.xml?foo=bar&bar=foo") do |curl|
-          curl.headers = headers
-        end
-        @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-      end
-
-      it "should return a Curl::Easy object after signing it" do
-        ApiAuth.sign!(@request, @access_id, @secret_key).class.to_s.should match("Curl::Easy")
-      end
-
-      describe "md5 header" do
-        it "should not calculate and add the content-md5 header if not provided" do
-          headers = { 'Content-Type' => "text/plain",
-                      'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
-          request = Curl::Easy.new("/resource.xml?foo=bar&bar=foo") do |curl|
-            curl.headers = headers
-          end
-          signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-          signed_request.headers['Content-MD5'].should == nil
-        end
-
-        it "should leave the content-md5 alone if provided" do
-          @signed_request.headers['Content-MD5'].should == "e59ff97941044f85df5297e1c302d260"
-        end
-      end
-
-      it "should sign the request" do
-        @signed_request.headers['Authorization'].should == "APIAuth 1044:#{hmac(@secret_key, @request)}"
-      end
-
-      it "should authenticate a valid request" do
-        ApiAuth.authentic?(@signed_request, @secret_key).should be_true
-      end
-
-      it "should NOT authenticate a non-valid request" do
-        ApiAuth.authentic?(@signed_request, @secret_key+'j').should be_false
-      end
-
-      it "should NOT authenticate an expired request" do
-        @request.headers['Date'] = 16.minutes.ago.utc.httpdate
-        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
-
-      it "should NOT authenticate a request with an invalid date" do
-        @request.headers['Date'] = "٢٠١٤-٠٩-٠٨ ١٦:٣١:١٤ +٠٣٠٠"
-        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
-
-      it "should retrieve the access_id" do
-        ApiAuth.access_id(@signed_request).should == "1044"
-      end
-
+    it "fails to validate a non matching signature" do
+      expect(ApiAuth.authentic?(request, "456")).to eq false
     end
 
-    describe "with ActionController/ActionDispatch" do
-
-      let(:request_klass){ ActionDispatch::Request rescue ActionController::Request }
-
-      before(:each) do
-        @request = request_klass.new(
-          'PATH_INFO' => '/resource.xml',
-          'QUERY_STRING' => 'foo=bar&bar=foo',
-          'REQUEST_METHOD' => 'PUT',
-          'CONTENT_MD5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
-          'CONTENT_TYPE' => 'text/plain',
-          'HTTP_DATE' => Time.now.utc.httpdate,
-          'rack.input' => StringIO.new)
-        @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-      end
-
-      it "should return a ActionDispatch::Request object after signing it" do
-        ApiAuth.sign!(@request, @access_id, @secret_key).class.to_s.should match(request_klass.to_s)
-      end
-
-      describe "md5 header" do
-        context "not already provided" do
-          it "should calculate for empty string" do
-            request = request_klass.new(
-              'PATH_INFO' => '/resource.xml',
-              'QUERY_STRING' => 'foo=bar&bar=foo',
-              'REQUEST_METHOD' => 'PUT',
-              'CONTENT_TYPE' => 'text/plain',
-              'HTTP_DATE' => 'Mon, 23 Jan 1984 03:29:56 GMT',
-              'rack.input' => StringIO.new)
-            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request.env['Content-MD5'].should == "1B2M2Y8AsgTpgAmY7PhCfg=="
-          end
-
-          it "should calculate for real content" do
-            request = request_klass.new(
-              'PATH_INFO' => '/resource.xml',
-              'QUERY_STRING' => 'foo=bar&bar=foo',
-              'REQUEST_METHOD' => 'PUT',
-              'CONTENT_TYPE' => 'text/plain',
-              'HTTP_DATE' => 'Mon, 23 Jan 1984 03:29:56 GMT',
-              'rack.input' => StringIO.new("hello\nworld"),
-              'CONTENT_LENGTH' => '11')
-            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request.env['Content-MD5'].should == "kZXQvrKoieG+Be1rsZVINw=="
-          end
-
-        end
-
-        it "should leave the content-md5 alone if provided" do
-          @signed_request.env['CONTENT_MD5'].should == '1B2M2Y8AsgTpgAmY7PhCfg=='
-        end
-      end
-
-      it "should sign the request" do
-        @signed_request.env['Authorization'].should == "APIAuth 1044:#{hmac(@secret_key, @request)}"
-      end
-
-      it "should authenticate a valid request" do
-        ApiAuth.authentic?(@signed_request, @secret_key).should be_true
-      end
-
-      it "should NOT authenticate a non-valid request" do
-        ApiAuth.authentic?(@signed_request, @secret_key+'j').should be_false
-      end
-
-      it "should NOT authenticate a mismatched content-md5 when body has changed" do
-        request = request_klass.new(
-          'PATH_INFO' => '/resource.xml',
-          'QUERY_STRING' => 'foo=bar&bar=foo',
-          'REQUEST_METHOD' => 'PUT',
-          'CONTENT_TYPE' => 'text/plain',
-          'HTTP_DATE' => 'Mon, 23 Jan 1984 03:29:56 GMT',
-          'rack.input' => StringIO.new("hello\nworld"))
-        signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-        signed_request.instance_variable_get("@env")["rack.input"] = StringIO.new("goodbye")
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
-
-      it "should NOT authenticate an expired request" do
-        @request.env['HTTP_DATE'] = 16.minutes.ago.utc.httpdate
-        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
-
-      it "should NOT authenticate a request with an invalid date" do
-        @request.env['Date'] = "٢٠١٤-٠٩-٠٨ ١٦:٣١:١٤ +٠٣٠٠"
-        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
-
-      it "should retrieve the access_id" do
-        ApiAuth.access_id(@signed_request).should == "1044"
-      end
-
+    it "fails to validate non matching md5" do
+      request['content-md5'] = '12345'
+      expect(ApiAuth.authentic?(request, "123")).to eq false
     end
 
-    describe "with Rack::Request" do
-
-      before(:each) do
-        headers = { 'Content-MD5' => "1B2M2Y8AsgTpgAmY7PhCfg==",
-                    'Content-Type' => "text/plain",
-                    'Date' => Time.now.utc.httpdate }
-        @request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put).merge!(headers))
-        @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-      end
-
-      it "should return a Rack::Request object after signing it" do
-        ApiAuth.sign!(@request, @access_id, @secret_key).class.to_s.should match("Rack::Request")
-      end
-
-      describe "md5 header" do
-        context "not already provided" do
-          it "should calculate for empty string" do
-            headers = { 'Content-Type' => "text/plain",
-                        'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
-            request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put).merge!(headers))
-            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request.env['Content-MD5'].should == "1B2M2Y8AsgTpgAmY7PhCfg=="
-          end
-
-          it "should calculate for real content" do
-            headers = { 'Content-Type' => "text/plain",
-                        'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
-            request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put, :input => "hellow\nworld").merge!(headers))
-            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request.env['Content-MD5'].should == "G0grublI06013h58g9j8Vw=="
-          end
-        end
-
-        it "should leave the content-md5 alone if provided" do
-          @signed_request.env['Content-MD5'].should == "1B2M2Y8AsgTpgAmY7PhCfg=="
-        end
-      end
-
-      it "should sign the request" do
-        @signed_request.env['Authorization'].should == "APIAuth 1044:#{hmac(@secret_key, @request)}"
-      end
-
-      it "should authenticate a valid request" do
-        ApiAuth.authentic?(@signed_request, @secret_key).should be_true
-      end
-
-      it "should NOT authenticate a non-valid request" do
-        ApiAuth.authentic?(@signed_request, @secret_key+'j').should be_false
-      end
-
-      it "should NOT authenticate a mismatched content-md5 when body has changed" do
-        headers = { 'Content-Type' => "text/plain",
-                    'Date' => "Mon, 23 Jan 1984 03:29:56 GMT" }
-        request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put, :input => "hellow\nworld").merge!(headers))
-        signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-        changed_request = Rack::Request.new(Rack::MockRequest.env_for("/resource.xml?foo=bar&bar=foo", :method => :put, :input => "goodbye").merge!(headers))
-        signed_request.env['rack.input'] = changed_request.env['rack.input']
-        signed_request.env['CONTENT_LENGTH'] = changed_request.env['CONTENT_LENGTH']
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
-
-      it "should NOT authenticate an expired request" do
-        @request.env['Date'] = 16.minutes.ago.utc.httpdate
-        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
-
-      it "should NOT authenticate a request with an invalid date" do
-        @request.env['Date'] = "٢٠١٤-٠٩-٠٨ ١٦:٣١:١٤ +٠٣٠٠"
-        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
-
-      it "should retrieve the access_id" do
-        ApiAuth.access_id(@signed_request).should == "1044"
-      end
-
+    it "fails to validate expired requests" do
+      request['date'] = 16.minutes.ago.utc.httpdate
+      expect(ApiAuth.authentic?(request, "123")).to eq false
     end
 
-    describe "with HTTPI" do
-      before(:each) do
-        @request = HTTPI::Request.new("http://localhost/resource.xml?foo=bar&bar=foo")
-        @request.headers.merge!({
-                                    'content-type' => 'text/plain',
-                                    'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
-                                    'date' => Time.now.utc.httpdate
-                                })
-        @headers = ApiAuth::Headers.new(@request)
-        @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-      end
-
-      it "should return a HTTPI object after signing it" do
-        ApiAuth.sign!(@request, @access_id, @secret_key).class.to_s.should match("HTTPI::Request")
-      end
-
-      describe "md5 header" do
-        context "not already provided" do
-          it "should calculate for empty string" do
-            request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
-                                         'content-type' => 'text/plain',
-                                         'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
-            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request['Content-MD5'].should == "1B2M2Y8AsgTpgAmY7PhCfg=="
-          end
-
-          it "should calculate for real content" do
-            request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
-                                         'content-type' => 'text/plain',
-                                         'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
-            request.body = "hello\nworld"
-            signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-            signed_request['Content-MD5'].should == "kZXQvrKoieG+Be1rsZVINw=="
-          end
-        end
-
-        it "should leave the content-md5 alone if provided" do
-          @signed_request.headers['Content-MD5'].should == '1B2M2Y8AsgTpgAmY7PhCfg=='
-        end
-      end
-
-      it "should sign the request" do
-        @signed_request.headers['Authorization'].should == "APIAuth 1044:#{hmac(@secret_key, @request)}"
-      end
-
-      it "should authenticate a valid request" do
-        ApiAuth.authentic?(@signed_request, @secret_key).should be_true
-      end
-
-      it "should NOT authenticate a non-valid request" do
-        ApiAuth.authentic?(@signed_request, @secret_key+'j').should be_false
-      end
-
-      it "should NOT authenticate a mismatched content-md5 when body has changed" do
-        request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
-                                     'content-type' => 'text/plain',
-                                     'date' => "Mon, 23 Jan 1984 03:29:56 GMT")
-        request.body = "hello\nworld"
-        signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-        signed_request.body = "goodbye"
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
-
-      it "should NOT authenticate an expired request" do
-        @request.headers['Date'] = 16.minutes.ago.utc.httpdate
-        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
-
-      it "should NOT authenticate a request with an invalid date" do
-        @request.headers['Date'] = "٢٠١٤-٠٩-٠٨ ١٦:٣١:١٤ +٠٣٠٠"
-        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
-
-      it "should retrieve the access_id" do
-        ApiAuth.access_id(@signed_request).should == "1044"
-      end
+    it "fails to validate if the date is invalid" do
+      request['date'] = "٢٠١٤-٠٩-٠٨ ١٦:٣١:١٤ +٠٣٠٠"
+      expect(ApiAuth.authentic?(request, "123")).to eq false
     end
 
-    describe "with Faraday::Request" do
-      before(:each) do
-        stubs = Faraday::Adapter::Test::Stubs.new do |stub|
-          stub.put('/resource.xml?foo=bar&bar=foo') { [200, {}, ''] }
-          stub.put('/resource.xml') { [200, {}, ''] }
-        end
-
-        @faraday_conn = Faraday.new do |builder|
-          builder.adapter :test, stubs do |stub|
-          end
-        end
-
-        @faraday_conn.put '/resource.xml?foo=bar&bar=foo' do |request|
-          @request = request
-          @request.headers.merge!({'Content-MD5' => "1B2M2Y8AsgTpgAmY7PhCfg==",
-                                   'content-type' => 'text/plain',
-                                   'DATE' => Time.now.utc.httpdate})
-        end
-
-        @headers = ApiAuth::Headers.new(@request)
-        @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-      end
-
-      it "should return a Faraday::Request object after signing it" do
-        ApiAuth.sign!(@request, @access_id, @secret_key).class.to_s.should match("Faraday::Request")
-      end
-
-      describe "md5 header" do
-        context "not already provided" do
-          it "should calculate for empty string" do
-            @faraday_conn.put '/resource.xml?foo=bar&bar=foo' do |request|
-              request.headers.merge!({'content-type' => 'text/plain',
-                                       'DATE' => 'Mon, 23 Jan 1984 03:29:56 GMT'})
-
-              signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-              signed_request['Content-MD5'].should == "1B2M2Y8AsgTpgAmY7PhCfg=="
-            end
-          end
-
-          it "should calculate for real content" do
-            @faraday_conn.put '/resource.xml?foo=bar&bar=foo' do |request|
-              request.headers.merge!({'content-type' => 'text/plain',
-                                       'DATE' => 'Mon, 23 Jan 1984 03:29:56 GMT'})
-              request.body = "hello\nworld"
-
-              signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-              signed_request['Content-MD5'].should == "kZXQvrKoieG+Be1rsZVINw=="
-            end
-          end
-        end
-
-        it "should leave the content-md5 alone if provided" do
-          @signed_request.headers['Content-MD5'].should == '1B2M2Y8AsgTpgAmY7PhCfg=='
-        end
-      end
-
-      it "should sign the request" do
-        @signed_request.headers['Authorization'].should == "APIAuth 1044:#{hmac(@secret_key, @request)}"
-      end
-
-      it "should authenticate a valid request with parameters" do
-        ApiAuth.authentic?(@signed_request, @secret_key).should be_true
-      end
+    context "canonical string contains the http_method" do
+      let(:request){
+        new_request = Net::HTTP::Put.new("/resource.xml?foo=bar&bar=foo",
+          'content-type' => 'text/plain',
+          'content-md5' => '1B2M2Y8AsgTpgAmY7PhCfg==',
+          'date' => Time.now.utc.httpdate
+        )
+        canonical_string = ApiAuth::Headers.new(new_request).canonical_string_with_http_method
+        signature = hmac("123", new_request, canonical_string)
+        new_request["Authorization"] = "APIAuth 1044:#{signature}"
+        new_request
+      }
 
-      it "should NOT authenticate a non-valid request" do
-        ApiAuth.authentic?(@signed_request, @secret_key+'j').should be_false
+      it "validates for canonical_strings containing the http_method" do
+        expect(ApiAuth.authentic?(request, "123")).to eq true
       end
 
-      it "should NOT authenticate a mismatched content-md5 when body has changed" do
-        @faraday_conn.put '/resource.xml?foo=bar&bar=foo' do |request|
-          request.headers.merge!({'content-type' => 'text/plain',
-                                   'DATE' => 'Mon, 23 Jan 1984 03:29:56 GMT'})
-          request.body = "hello\nworld"
-
-          signed_request = ApiAuth.sign!(request, @access_id, @secret_key)
-          signed_request.body = 'goodbye'
-          ApiAuth.authentic?(signed_request, @secret_key).should be_false
-        end
+      it "fails to validate if the request method differs" do
+        canonical_string = ApiAuth::Headers.new(request).canonical_string_with_http_method('POST')
+        signature = hmac("123", request, canonical_string)
+        request["Authorization"] = "APIAuth 1044:#{signature}"
+        expect(ApiAuth.authentic?(request, "123")).to eq false
       end
+    end
+  end
 
-      it "should NOT authenticate an expired request" do
-        @request.headers['DATE'] = 16.minutes.ago.utc.httpdate
-        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
-      end
+  describe ".access_id" do
+    context "normal APIAuth Auth header" do
+      let(:request){
+        RestClient::Request.new(
+          :url => "http://google.com",
+          :method => :get,
+          :headers => {:authorization => "APIAuth 1044:aGVsbG8gd29ybGQ="}
+        )
+      }
 
-      it "should NOT authenticate a request with an invalid date" do
-        @request.headers['DATE'] = "٢٠١٤-٠٩-٠٨ ١٦:٣١:١٤ +٠٣٠٠"
-        signed_request = ApiAuth.sign!(@request, @access_id, @secret_key)
-        ApiAuth.authentic?(signed_request, @secret_key).should be_false
+      it "parses it from the Auth Header" do
+        expect(ApiAuth.access_id(request)).to eq("1044")
       end
+    end
 
-      it "should retrieve the access_id" do
-        ApiAuth.access_id(@signed_request).should == "1044"
-      end
+    context "Corporate prefixed APIAuth header" do
+      let(:request){
+        RestClient::Request.new(
+          :url => "http://google.com",
+          :method => :get,
+          :headers => {:authorization => "Corporate APIAuth 1044:aGVsbG8gd29ybGQ="}
+        )
+      }
 
-      describe 'request_uri' do
-        context 'with parameters' do
-          it "should return urls with a query string" do
-            req = ::ApiAuth::RequestDrivers::FaradayRequest.new(@request)
-            req.request_uri.should == '/resource.xml?bar=foo&foo=bar'
-          end
-        end
-
-        context 'without parameters' do
-          it "should return urls with no query string" do
-            @faraday_conn.put '/resource.xml' do |request|
-              request.headers.merge!({'content-type' => 'text/plain',
-                                       'DATE' => Time.now.utc.httpdate})
-              req = ::ApiAuth::RequestDrivers::FaradayRequest.new(request)
-              req.request_uri.should == '/resource.xml'
-            end
-          end
-        end
+      it "parses it from the Auth Header" do
+        expect(ApiAuth.access_id(request)).to eq("1044")
       end
     end
   end
-
 end