api-auth 2.1.0 → 2.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 9ee2a233ac1efcbf1af8b4028fde060ab2de42d5
-  data.tar.gz: 32dc7e2f7fb53759ff4d043e03f53914e4944345
+SHA256:
+  metadata.gz: 51fee150bf8e85fbaa3195608e96a25ad4ef7cb19bcc026137c1831c94f652c1
+  data.tar.gz: 7c0aeeefdf36f93e53cef4ac76f0015efa587c5a7b572dafe6670276d786e92a
 SHA512:
-  metadata.gz: 5264828dfb7ec5743f4f74bb2b13ac6e8e002f1addfb448bb2e6ded240fe7ef13e0d1d2bc4646c3f568a33d25a32ff32ea4b070ce59c30d6431a8a451350cb2c
-  data.tar.gz: ffed44efe3245f7c74e9a6b76057ec1de088c16805d7f96fd10061d9babb940680e3b4927bc9aa480cd9aa8d03955c60c8fce1c6f596528f2bc4aaa9d2289c13
+  metadata.gz: 4cf7349cdbed677337b82e3c0ad87ce1271ce0a92c65a9bda8514dadde6c3a6fd40e962fc9b23cb937e0b1b804d456930d6ddeb245d5d3d5ed021639c077a3c8
+  data.tar.gz: c4935420257b03f3f90460c7caffb64d0da2792f9793c24c02bf00e7abdc1a80a509d73c3ed86a95098de3cb5aaeb96776e383a537dfab3233fd043a6077c928

data/.gitignore

@@ -8,3 +8,4 @@
 /doc
 /.yardoc
 gemfiles/*.lock
+/.idea

data/.rubocop.yml

@@ -12,11 +12,6 @@ Lint/AssignmentInCondition:
   Exclude:
     - 'lib/api_auth/base.rb'
 
-# Offense count: 1
-Lint/UselessAssignment:
-  Exclude:
-    - 'spec/request_drivers/rest_client_spec.rb'
-
 # Offense count: 2
 Metrics/AbcSize:
   Max: 25
@@ -60,43 +55,9 @@ Style/Documentation:
     - 'lib/api_auth/railtie.rb'
     - 'lib/api_auth/request_drivers/rest_client.rb'
 
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: AllowForAlignment, ForceEqualSignAlignment.
-Style/ExtraSpacing:
-  Exclude:
-    - 'lib/api_auth/railtie.rb'
-
 # Offense count: 1
 # Configuration parameters: ExpectMatchingDefinition, Regex, IgnoreExecutableScripts.
 Style/FileName:
   Exclude:
     - 'lib/api-auth.rb'
-
-# Offense count: 110
-# Cop supports --auto-correct.
-# Configuration parameters: SupportedStyles, UseHashRocketsWithSymbolValues.
-# SupportedStyles: ruby19, ruby19_no_mixed_keys, hash_rockets
-Style/HashSyntax:
-  EnforcedStyle: hash_rockets
-
-# Offense count: 4
-# Cop supports --auto-correct.
-# Configuration parameters: PreferredDelimiters.
-Style/PercentLiteralDelimiters:
-  Exclude:
-    - 'api_auth.gemspec'
-
-# Offense count: 1
-# Cop supports --auto-correct.
-# Configuration parameters: EnforcedStyle, SupportedStyles.
-# SupportedStyles: use_perl_names, use_english_names
-Style/SpecialGlobalVars:
-  Enabled: false
-
-# Offense count: 4
-# Cop supports --auto-correct.
-Style/UnneededPercentQ:
-  Exclude:
-    - 'api_auth.gemspec'
-
+    - 'Appraisals'

data/.travis.yml

@@ -2,64 +2,33 @@ language: ruby
 sudo: false
 cache: bundler
 rvm:
-  - 1.8.7-p374
-  - 1.9.3
   - 2.1.9
-  - 2.2.5
-  - 2.3.1
+  - 2.2.6
+  - 2.3.3
+  - 2.4.1
 gemfile:
-  - gemfiles/rails_23.gemfile
-  - gemfiles/rails_30.gemfile
-  - gemfiles/rails_31.gemfile
-  - gemfiles/rails_32.gemfile
   - gemfiles/rails_4.gemfile
   - gemfiles/rails_41.gemfile
   - gemfiles/rails_42.gemfile
   - gemfiles/rails_5.gemfile
+  - gemfiles/rails_51.gemfile
 env:
   - TEST_SUITE=rake
 
+before_install:
+  - gem update bundler
+
 script:
   - bundle exec $TEST_SUITE
 
 matrix:
   exclude:
-    - rvm: 1.8.7-p374
-      gemfile: gemfiles/rails_4.gemfile
-    - rvm: 1.8.7-p374
-      gemfile: gemfiles/rails_41.gemfile
-    - rvm: 1.8.7-p374
-      gemfile: gemfiles/rails_42.gemfile
-    - rvm: 1.8.7-p374
-      gemfile: gemfiles/rails_5.gemfile
-    - rvm: 1.9.3
-      gemfile: gemfiles/rails_5.gemfile
-    - rvm: 2.1.9
-      gemfile: gemfiles/rails_23.gemfile
-    - rvm: 2.1.9
-      gemfile: gemfiles/rails_30.gemfile
-    - rvm: 2.1.9
-      gemfile: gemfiles/rails_31.gemfile
     - rvm: 2.1.9
       gemfile: gemfiles/rails_5.gemfile
-    - rvm: 2.2.5
-      gemfile: gemfiles/rails_23.gemfile
-    - rvm: 2.2.5
-      gemfile: gemfiles/rails_30.gemfile
-    - rvm: 2.2.5
-      gemfile: gemfiles/rails_31.gemfile
-    - rvm: 2.2.5
-      gemfile: gemfiles/rails_32.gemfile
-    - rvm: 2.3.1
-      gemfile: gemfiles/rails_23.gemfile
-    - rvm: 2.3.1
-      gemfile: gemfiles/rails_30.gemfile
-    - rvm: 2.3.1
-      gemfile: gemfiles/rails_31.gemfile
-    - rvm: 2.3.1
-      gemfile: gemfiles/rails_32.gemfile
+    - rvm: 2.1.9
+      gemfile: gemfiles/rails_51.gemfile
   include:
-    - rvm: 2.3.1
+    - rvm: 2.4.1
       gemfile: gemfiles/rails_5.gemfile
       env: TEST_SUITE="rubocop lib/ spec/"
 

data/Appraisals

@@ -1,49 +1,23 @@
-appraise "rails-42" do
-  gem "actionpack", "~> 4.2.0"
-  gem "activeresource", "~> 4.0.0"
-  gem "activesupport", "~> 4.2.0"
+appraise 'rails-5' do
+  gem 'actionpack', '~> 5.0.2'
+  gem 'activeresource', '~> 5.0.2'
+  gem 'activesupport', '~> 5.0.2'
 end
 
-appraise "rails-41" do
-  gem "actionpack", "~> 4.1.0"
-  gem "activeresource", "~> 4.0.0"
-  gem "activesupport", "~> 4.1.0"
+appraise 'rails-42' do
+  gem 'actionpack', '~> 4.2.0'
+  gem 'activeresource', '~> 4.0.0'
+  gem 'activesupport', '~> 4.2.0'
 end
 
-appraise "rails-4" do
-  gem "actionpack", "~> 4.0.4"
-  gem "activeresource", "~> 4.0.0"
-  gem "activesupport", "~> 4.0.4"
+appraise 'rails-41' do
+  gem 'actionpack', '~> 4.1.0'
+  gem 'activeresource', '~> 4.0.0'
+  gem 'activesupport', '~> 4.1.0'
 end
 
-appraise "rails-32" do
-  gem "actionpack", "~> 3.2.17"
-  gem "activeresource", "~> 3.2.17"
-  gem "activesupport", "~> 3.2.17"
-  gem "httpi", "< 2.3"
-  gem "i18n", "< 0.7.0"
-  gem "rack-cache", "< 1.3"
-end
-
-appraise "rails-31" do
-  gem "actionpack", "~> 3.1.0"
-  gem "activeresource", "~> 3.1.0"
-  gem "activesupport", "~> 3.1.0"
-  gem "httpi", "< 2.3"
-  gem "i18n", "< 0.7.0"
-  gem "rack-cache", "< 1.3"
-end
-
-appraise "rails-30" do
-  gem "actionpack", "~> 3.0.20"
-  gem "activeresource", "~> 3.0.20"
-  gem "activesupport", "~> 3.0.20"
-  gem "httpi", "< 2.3"
-end
-
-appraise "rails-23" do
-  gem "actionpack", "~> 2.3.2"
-  gem "activeresource", "~> 2.3.2"
-  gem "activesupport", "~> 2.3.2"
-  gem "httpi", "< 2.3"
+appraise 'rails-4' do
+  gem 'actionpack', '~> 4.0.4'
+  gem 'activeresource', '~> 4.0.0'
+  gem 'activesupport', '~> 4.0.4'
 end

data/Gemfile

@@ -1,7 +1,4 @@
 source 'https://rubygems.org'
 gemspec
 
-gem 'rake', '< 11.0', :platforms => :ruby_18
-gem 'tins', '< 1.7',  :platforms => :ruby_19 # amatch dependency
-
-gem 'rubocop', :platforms => [:ruby_19, :ruby_20, :ruby_21, :ruby_22, :ruby_23]
+gem 'rubocop', platforms: %i[ruby_20 ruby_21 ruby_22 ruby_23 ruby_24]

data/README.md

@@ -2,8 +2,6 @@
 
 [![Build Status](https://travis-ci.org/mgomes/api_auth.png?branch=master)](https://travis-ci.org/mgomes/api_auth)
 
-## IMPORTANT: v2.0.0 is backwards incompatible with the default settings of v1.x to address a security vulnerability. See [CHANGELOG.md](/CHANGELOG.md) for security update information.
-
 Logins and passwords are for humans. Communication between applications need to
 be protected through different means.
 
@@ -51,6 +49,14 @@ minutes in order to avoid replay attacks.
 * [HMAC algorithm](http://en.wikipedia.org/wiki/HMAC)
 * [RFC 2104 (HMAC)](http://tools.ietf.org/html/rfc2104)
 
+## Requirement
+
+v3.X require Ruby 2.X and if you use Rails at least Rails 4.0.
+
+For older version of Ruby or Rails, please use ApiAuth v2.X.
+
+**IMPORTANT: v2.0.0 is backwards incompatible with the default settings of v1.x to address a security vulnerability. See [CHANGELOG.md](/CHANGELOG.md) for security update information.**
+
 ## Install
 
 The gem doesn't have any dependencies outside of having a working OpenSSL
@@ -72,6 +78,7 @@ Here is the current list of supported request objects:
 * Curb (Curl::Easy)
 * RestClient
 * Faraday
+* HTTParty
 * Httpi
 
 ### HTTP Client Objects
@@ -171,7 +178,7 @@ To validate whether or not a request is authentic:
 ```
 
 The `authentic?` method uses the digest specified in the `Authorization` header.
-For exemple SHA256 for:
+For example SHA256 for:
 
     Authorization = APIAuth-HMAC-SHA256 'client access id':'signature'
 
@@ -183,6 +190,17 @@ If you want to force the usage of another digest method, you should pass it as a
     ApiAuth.authentic?(signed_request, secret_key, :digest => 'sha256')
 ```
 
+For security, requests dated older or newer than a certain timespan are considered inauthentic.
+
+This prevents old requests from being reused in replay attacks, and also ensures requests
+can't be dated into the far future.
+
+The default span is 15 minutes, but you can override this:
+
+```ruby
+    ApiAuth.authentic?(signed_request, secret_key, :clock_skew => 60) # or 1.minute in ActiveSupport
+```
+
 If your server is a Rails app, the signed request will be the `request` object.
 
 In order to obtain the secret key for the client, you first need to look up the
@@ -217,7 +235,13 @@ take care of all that for you.
 
 To run the tests:
 
-    rake spec
+Install the dependencies for a particular Rails version by specifying a gemfile in `gemfiles` directory:
+
+    BUNDLE_GEMFILE=gemfiles/rails_5.gemfile bundle install
+
+Run the tests with those dependencies:
+
+    BUNDLE_GEMFILE=gemfiles/rails_5.gemfile bundle exec rake
 
 If you'd like to add support for additional HTTP clients, check out the already
 implemented drivers in `lib/api_auth/request_drivers` for reference. All of

data/Rakefile

@@ -10,4 +10,4 @@ RSpec::Core::RakeTask.new(:spec) do |spec|
   spec.pattern = FileList['spec/**/*_spec.rb']
 end
 
-task :default => :spec
+task default: :spec

data/VERSION

@@ -1 +1 @@
-2.1.0
+2.2.0

data/api_auth.gemspec

@@ -1,11 +1,10 @@
-# -*- encoding: utf-8 -*-
-$:.push File.expand_path('../lib', __FILE__)
+$LOAD_PATH.push File.expand_path('../lib', __FILE__)
 
 Gem::Specification.new do |s|
-  s.name = %q{api-auth}
-  s.summary = %q{Simple HMAC authentication for your APIs}
-  s.description = %q{Full HMAC auth implementation for use in your gems and Rails apps.}
-  s.homepage = %q{https://github.com/mgomes/api_auth}
+  s.name = 'api-auth'
+  s.summary = 'Simple HMAC authentication for your APIs'
+  s.description = 'Full HMAC auth implementation for use in your gems and Rails apps.'
+  s.homepage = 'https://github.com/mgomes/api_auth'
   s.version = File.read(File.join(File.dirname(__FILE__), 'VERSION'))
   s.authors = ['Mauricio Gomes']
   s.email = 'mauricio@edge14.com'
@@ -14,15 +13,15 @@ Gem::Specification.new do |s|
   s.add_development_dependency 'rake'
   s.add_development_dependency 'amatch'
   s.add_development_dependency 'rspec', '~> 3.4'
-  s.add_development_dependency 'actionpack', '< 5.0', '> 2.3.2'
-  s.add_development_dependency 'activesupport', '< 5.0', '> 2.3.2'
+  s.add_development_dependency 'actionpack', '< 6.0', '> 4.0'
+  s.add_development_dependency 'activesupport', '< 6.0', '> 4.0'
   s.add_development_dependency 'activeresource', '~> 4.0'
   s.add_development_dependency 'rest-client', '~> 1.6.0'
   s.add_development_dependency 'curb', '~> 0.8.1'
   s.add_development_dependency 'httpi'
-  faraday_version = RUBY_VERSION == '1.8.7' ? '< 0.10' : '>= 0.10'
-  s.add_development_dependency 'faraday', faraday_version
+  s.add_development_dependency 'faraday', '>= 0.10'
   s.add_development_dependency 'multipart-post', '~> 2.0'
+  s.add_development_dependency 'httparty', '~> 0.13.0'
 
   s.files         = `git ls-files`.split("\n")
   s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")

data/gemfiles/rails_5.gemfile

@@ -2,9 +2,9 @@
 
 source "https://rubygems.org"
 
-gem "actionpack", "~> 5.0.0"
+gem "actionpack", "~> 5.0.2"
 gem "activeresource", "~> 5.0.0", git: 'https://github.com/rails/activeresource.git'
-gem "activesupport", "~> 5.0.0"
+gem "activesupport", "~> 5.0.2"
 
 gem "rubocop"
 

data/gemfiles/rails_51.gemfile

@@ -0,0 +1,9 @@
+# This file was generated by Appraisal
+
+source "https://rubygems.org"
+
+gem "actionpack", "~> 5.1.1"
+gem "activeresource", "~> 5.0.0", git: 'https://github.com/rails/activeresource.git'
+gem "activesupport", "~> 5.1.1"
+
+gemspec :path => "../"

data/lib/api_auth/base.rb

@@ -1,4 +1,3 @@
-# encoding: UTF-8
 # api-auth is a Ruby gem designed to be used both in your client and server
 # HTTP-based applications. It implements the same authentication methods (HMAC)
 # used by Amazon Web Services.
@@ -21,7 +20,7 @@ module ApiAuth
     #
     # secret_key: assigned secret key that is known to both parties
     def sign!(request, access_id, secret_key, options = {})
-      options = { :override_http_method => nil, :digest => 'sha1' }.merge(options)
+      options = { override_http_method: nil, digest: 'sha1' }.merge(options)
       headers = Headers.new(request)
       headers.calculate_md5
       headers.set_date
@@ -33,15 +32,18 @@ module ApiAuth
     def authentic?(request, secret_key, options = {})
       return false if secret_key.nil?
 
-      options = { :override_http_method => nil }.merge(options)
+      options = { override_http_method: nil }.merge(options)
 
       headers = Headers.new(request)
 
+      # 900 seconds is 15 minutes
+      clock_skew = options.fetch(:clock_skew, 900)
+
       if headers.md5_mismatch?
         false
       elsif !signatures_match?(headers, secret_key, options)
         false
-      elsif !request_within_time_window?(headers)
+      elsif !request_within_time_window?(headers, clock_skew)
         false
       else
         true
@@ -71,11 +73,9 @@ module ApiAuth
 
     AUTH_HEADER_PATTERN = /APIAuth(?:-HMAC-(MD5|SHA(?:1|224|256|384|512)?))? ([^:]+):(.+)$/
 
-    def request_within_time_window?(headers)
-      # 900 seconds is 15 minutes
-
-      Time.httpdate(headers.timestamp).utc > (Time.now.utc - 900) &&
-        Time.httpdate(headers.timestamp).utc < (Time.now.utc + 900)
+    def request_within_time_window?(headers, clock_skew)
+      Time.httpdate(headers.timestamp).utc > (Time.now.utc - clock_skew) &&
+        Time.httpdate(headers.timestamp).utc < (Time.now.utc + clock_skew)
     rescue ArgumentError
       false
     end
@@ -87,7 +87,7 @@ module ApiAuth
       digest = match_data[1].nil? ? 'SHA1' : match_data[1].upcase
       raise InvalidRequestDigest if !options[:digest].nil? && !options[:digest].casecmp(digest).zero?
 
-      options = { :digest => digest }.merge(options)
+      options = { digest: digest }.merge(options)
 
       header_sig = match_data[3]
       calculated_sig = hmac_signature(headers, secret_key, options)

data/lib/api_auth/headers.rb

@@ -57,7 +57,7 @@ module ApiAuth
       [request_method.upcase,
        @request.content_type,
        @request.content_md5,
-       parse_uri(@request.request_uri),
+       parse_uri(@request.original_uri || @request.request_uri),
        @request.timestamp].join(',')
     end
 
@@ -67,15 +67,15 @@ module ApiAuth
     end
 
     def set_date
-      @request.set_date if @request.timestamp.empty?
+      @request.set_date if @request.timestamp.nil?
     end
 
     def calculate_md5
-      @request.populate_content_md5 if @request.content_md5.empty?
+      @request.populate_content_md5 if @request.content_md5.nil?
     end
 
     def md5_mismatch?
-      if @request.content_md5.empty?
+      if @request.content_md5.nil?
         false
       else
         @request.md5_mismatch?
@@ -93,12 +93,12 @@ module ApiAuth
 
     private
 
-    URI_WITHOUT_HOST_REGEXP = %r{https?://[^,?/]*}
-
     def parse_uri(uri)
-      uri_without_host = uri.gsub(URI_WITHOUT_HOST_REGEXP, '')
-      return '/' if uri_without_host.empty?
-      uri_without_host
+      parsed_uri = URI.parse(uri)
+
+      return parsed_uri.request_uri if parsed_uri.respond_to?(:request_uri)
+
+      uri.empty? ? '/' : uri
     end
   end
 end