api-auth 1.3.2 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2cd28f63f509490e9930a666f6825bbfd58b2bb7
-  data.tar.gz: 0c5c85110090293af02dd2c2d2ded29ebf2c1589
+  metadata.gz: 6b4f04ff0b0fdfdc276177e1a225239af93aff34
+  data.tar.gz: 490677e918c7928517f8cb1bb476c5c81a9ac176
 SHA512:
-  metadata.gz: 7bdd120e4c0e769a1ac1e67051f5e69675204e4f511eaece5cb0f967604cf2c2fbea3f44d80b7f8b947fa82e7888b0938e98517be0a3267fab11064de1f782c1
-  data.tar.gz: f12c425faa929ed3aa9ca0fabbcd44d89e4fdd42f65a974df2a35c112a9503b5279a9965c30a6c679d5973a6e43fd47e7717ea66c803733241c1baa29f50f408
+  metadata.gz: cd94a12c5eaaf7b76390fead34de8b6a60644656343b3a3aedbfff4fc1b5eea64777c258b20136a6d1ff3aa2bf0c071c007914c4ad958d2db5684f48cce23e08
+  data.tar.gz: 4ac0b39723cb446470b716d4cd8b06bc111bc88fd85fabf0c9e72a1300b6765c460463f038d9ed59f1d0c838bdcb5d103421e80cc833fba5e673bf43ffdea127

data/.rspec

@@ -1,3 +1,3 @@
 --colour
---format nested
---backtrace
+--format doc
+--backtrace

data/.travis.yml

@@ -1,4 +1,5 @@
 language: ruby
+sudo: false
 rvm:
   - 1.8.7-p374
   - 1.9.3
@@ -11,12 +12,15 @@ gemfile:
   - gemfiles/rails_32.gemfile
   - gemfiles/rails_4.gemfile
   - gemfiles/rails_41.gemfile
+  - gemfiles/rails_42.gemfile
 matrix:
   exclude:
     - rvm: 1.8.7-p374
       gemfile: gemfiles/rails_4.gemfile
     - rvm: 1.8.7-p374
       gemfile: gemfiles/rails_41.gemfile
+    - rvm: 1.8.7-p374
+      gemfile: gemfiles/rails_42.gemfile
     - rvm: 2.1.5
       gemfile: gemfiles/rails_23.gemfile
     - rvm: 2.1.5

data/Appraisals

@@ -1,3 +1,9 @@
+appraise "rails-42" do
+  gem "actionpack", "~> 4.2.0"
+  gem "activeresource", "~> 4.0.0"
+  gem "activesupport", "~> 4.2.0"
+end
+
 appraise "rails-41" do
   gem "actionpack", "~> 4.1.0"
   gem "activeresource", "~> 4.0.0"

data/CHANGELOG.md

@@ -1,3 +1,39 @@
+# 1.4 (2015-12-16)
+
+## IMPORTANT SECURITY FIX (with backwards compatible fallback)
+
+  This version introduces a security fix. In previous versions, the canonical
+  string does not include the http method used to make the request, this means
+  two requests that would otherwise be identical (such as a GET and DELETE)
+  would have the same signature allowing for a MITM to swap one method for
+  another.
+
+  In ApiAuth v1.4 `ApiAuth.authentic?` will allow for requests signed using either
+  the canonical string WITH the http method, or WITHOUT it. `ApiAuth.sign!` will,
+  by default, still sign the request using the canonical string without the
+  method. However, passing in the `:with_http_method => true` option into
+  `ApiAuth.sign?` will cause the request to use the http method as part of the
+  canonical string.
+
+  Example:
+
+  ```ruby
+    ApiAuth.sign!(request, access_id, secret_key, {:with_http_method => true})
+  ```
+
+  This allows for an upgrade strategy that would look like the following.
+
+  1. Update server side code to use ApiAuth v1.4
+  2. Update client side code to use ApiAuth v1.4
+  3. Update all client side code to sign with http method
+  4. Update server side code to ApiAuth v2.0 (removes the ability to authenticate without the http method)
+  5. Update all client side code to ApiAuth v2.0 (forces all signatures to contain the http method)
+
+## Additional changes
+
+  - Performance enhancement: reduce allocation of Headers object (#81 pd)
+  - Performance enhancement: avoid reallocating static Regexps (#82 pd)
+
 # 1.3.2 (2015-08-28)
 - Fixed a bug where some client adapters didn't treat an empty path as
   "/" in the canonical string (#75 managr)

data/Gemfile.lock

@@ -1,75 +1,105 @@
 PATH
   remote: .
   specs:
-    api-auth (1.3.2)
+    api-auth (1.4.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    abstract (1.0.0)
-    actionpack (3.0.20)
-      activemodel (= 3.0.20)
-      activesupport (= 3.0.20)
-      builder (~> 2.1.2)
-      erubis (~> 2.6.6)
-      i18n (~> 0.5.0)
-      rack (~> 1.2.5)
-      rack-mount (~> 0.6.14)
-      rack-test (~> 0.5.7)
-      tzinfo (~> 0.3.23)
-    activemodel (3.0.20)
-      activesupport (= 3.0.20)
-      builder (~> 2.1.2)
-      i18n (~> 0.5.0)
-    activeresource (3.0.20)
-      activemodel (= 3.0.20)
-      activesupport (= 3.0.20)
-    activesupport (3.0.20)
+    actionpack (4.2.5)
+      actionview (= 4.2.5)
+      activesupport (= 4.2.5)
+      rack (~> 1.6)
+      rack-test (~> 0.6.2)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (4.2.5)
+      activesupport (= 4.2.5)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    activemodel (4.2.5)
+      activesupport (= 4.2.5)
+      builder (~> 3.1)
+    activeresource (4.0.0)
+      activemodel (~> 4.0)
+      activesupport (~> 4.0)
+      rails-observers (~> 0.1.1)
+    activesupport (4.2.5)
+      i18n (~> 0.7)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.3, >= 0.3.4)
+      tzinfo (~> 1.1)
     amatch (0.2.10)
       tins (~> 0.3)
-    appraisal (0.5.2)
+    appraisal (2.1.0)
       bundler
       rake
-    builder (2.1.2)
+      thor (>= 0.14.0)
+    builder (3.2.2)
     curb (0.8.6)
-    diff-lcs (1.1.3)
-    erubis (2.6.6)
-      abstract (>= 1.0.0)
+    diff-lcs (1.2.5)
+    erubis (2.7.0)
     faraday (0.9.1)
       multipart-post (>= 1.2, < 3)
     httpi (2.1.0)
       rack
       rubyntlm (~> 0.3.2)
-    i18n (0.5.3)
+    i18n (0.7.0)
+    json (1.8.3)
+    loofah (2.0.3)
+      nokogiri (>= 1.5.9)
     mime-types (1.17.2)
+    mini_portile (0.6.2)
+    minitest (5.8.2)
     multipart-post (2.0.0)
-    rack (1.2.8)
-    rack-mount (0.6.14)
-      rack (>= 1.0.0)
-    rack-test (0.5.7)
+    nokogiri (1.6.6.2)
+      mini_portile (~> 0.6.0)
+    rack (1.6.4)
+    rack-test (0.6.3)
       rack (>= 1.0)
-    rake (0.9.2.2)
+    rails-deprecated_sanitizer (1.0.3)
+      activesupport (>= 4.2.0.alpha)
+    rails-dom-testing (1.0.7)
+      activesupport (>= 4.2.0.beta, < 5.0)
+      nokogiri (~> 1.6.0)
+      rails-deprecated_sanitizer (>= 1.0.1)
+    rails-html-sanitizer (1.0.2)
+      loofah (~> 2.0)
+    rails-observers (0.1.2)
+      activemodel (~> 4.0)
+    rake (10.4.2)
     rest-client (1.6.7)
       mime-types (>= 1.16)
-    rspec (2.4.0)
-      rspec-core (~> 2.4.0)
-      rspec-expectations (~> 2.4.0)
-      rspec-mocks (~> 2.4.0)
-    rspec-core (2.4.0)
-    rspec-expectations (2.4.0)
-      diff-lcs (~> 1.1.2)
-    rspec-mocks (2.4.0)
+    rspec (3.4.0)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+    rspec-core (3.4.0)
+      rspec-support (~> 3.4.0)
+    rspec-expectations (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-mocks (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-support (3.4.0)
     rubyntlm (0.3.4)
+    thor (0.19.1)
+    thread_safe (0.3.5)
     tins (0.5.5)
-    tzinfo (0.3.39)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  actionpack (~> 3.0.0)
-  activeresource (~> 3.0.0)
-  activesupport (~> 3.0.0)
+  actionpack (> 2.3.2, < 5.0)
+  activeresource (~> 4.0)
+  activesupport (> 2.3.2, < 5.0)
   amatch
   api-auth!
   appraisal
@@ -79,4 +109,7 @@ DEPENDENCIES
   multipart-post (~> 2.0)
   rake
   rest-client (~> 1.6.0)
-  rspec (~> 2.4.0)
+  rspec (~> 3.4)
+
+BUNDLED WITH
+   1.10.6

data/README.md

@@ -2,6 +2,8 @@
 
 [![Build Status](https://travis-ci.org/mgomes/api_auth.png?branch=master)](https://travis-ci.org/mgomes/api_auth)
 
+## IMPORTANT: See [CHANGELOG.md](/CHANGELOG.md) for security update information
+
 Logins and passwords are for humans. Communication between applications need to
 be protected through different means.
 
@@ -25,7 +27,7 @@ content-MD5 are not present, then a blank string is used in their place. If the
 timestamp isn't present, a valid HTTP date is automatically added to the
 request. The canonical string is computed as follows:
 
-    canonical_string = 'content-type,content-MD5,request URI,timestamp'
+    canonical_string = 'http method,content-type,content-MD5,request URI,timestamp'
 
 2. This string is then used to create the signature which is a Base64 encoded
 SHA1 HMAC, using the client's private secret key.
@@ -73,9 +75,7 @@ Here is the current list of supported request objects:
 
 ### HTTP Client Objects
 
-Here's a sample implementation of signing a request created with RestClient. For
-more examples, please check out the ApiAuth Spec where every supported HTTP
-client is tested.
+Here's a sample implementation of signing a request created with RestClient.
 
 Assuming you have a client access id and secret as follows:
 
@@ -107,6 +107,14 @@ request as one of the last steps in building the request to ensure the headers
 don't change after the signing process which would cause the authentication
 check to fail on the server side.
 
+If you are signing a request for a driver that doesn't support automatic http
+method detection (like Curb or httpi), you can pass the http method as an option
+into the sign! method like so:
+
+``` ruby
+    @signed_request = ApiAuth.sign!(@request, @access_id, @secret_key, :override_http_method => "PUT")
+```
+
 ### ActiveResource Clients
 
 ApiAuth can transparently protect your ActiveResource communications with a
@@ -160,16 +168,15 @@ whether or not the request is authentic. Typically, the access id for the client
 will be their record's primary key in the DB that stores the record or some other
 public unique identifier for the client.
 
-Here's a sample method that can be used in a `before_filter` if your server is a
+Here's a sample method that can be used in a `before_action` if your server is a
 Rails app:
 
 ``` ruby
-    before_filter :api_authenticate
+    before_action :api_authenticate
 
     def api_authenticate
       @current_account = Account.find_by_access_id(ApiAuth.access_id(request))
-      return ApiAuth.authentic?(request, @current_account.secret_key) unless @current_account.nil?
-      false
+      head(:unauthorized) unless @current_account && ApiAuth.authentic?(request, @current_account.secret_key)
     end
 ```
 

data/VERSION

@@ -1 +1 @@
-1.3.2
+1.4.0

data/api_auth.gemspec

@@ -13,10 +13,10 @@ Gem::Specification.new do |s|
   s.add_development_dependency "appraisal"
   s.add_development_dependency "rake"
   s.add_development_dependency "amatch"
-  s.add_development_dependency "rspec", "~> 2.4.0"
-  s.add_development_dependency "actionpack", "~> 3.0.0"
-  s.add_development_dependency "activesupport", "~> 3.0.0"
-  s.add_development_dependency "activeresource", "~> 3.0.0"
+  s.add_development_dependency "rspec", "~> 3.4"
+  s.add_development_dependency "actionpack", "< 5.0", "> 2.3.2"
+  s.add_development_dependency "activesupport", "< 5.0", "> 2.3.2"
+  s.add_development_dependency "activeresource", "~> 4.0"
   s.add_development_dependency "rest-client", "~> 1.6.0"
   s.add_development_dependency "curb", "~> 0.8.1"
   s.add_development_dependency "httpi"

data/gemfiles/rails_23.gemfile

@@ -6,4 +6,4 @@ gem "actionpack", "~> 2.3.2"
 gem "activeresource", "~> 2.3.2"
 gem "activesupport", "~> 2.3.2"
 
-gemspec :path=>"../"
+gemspec :path => "../"

data/gemfiles/rails_23.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ../
   specs:
-    api-auth (1.3.2)
+    api-auth (1.4.0)
 
 GEM
   remote: https://rubygems.org/
@@ -19,7 +19,7 @@ GEM
       rake
       thor (>= 0.14.0)
     curb (0.8.6)
-    diff-lcs (1.1.3)
+    diff-lcs (1.2.5)
     faraday (0.9.1)
       multipart-post (>= 1.2, < 3)
     httpi (2.1.0)
@@ -31,14 +31,19 @@ GEM
     rake (10.3.1)
     rest-client (1.6.7)
       mime-types (>= 1.16)
-    rspec (2.4.0)
-      rspec-core (~> 2.4.0)
-      rspec-expectations (~> 2.4.0)
-      rspec-mocks (~> 2.4.0)
-    rspec-core (2.4.0)
-    rspec-expectations (2.4.0)
-      diff-lcs (~> 1.1.2)
-    rspec-mocks (2.4.0)
+    rspec (3.4.0)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+    rspec-core (3.4.0)
+      rspec-support (~> 3.4.0)
+    rspec-expectations (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-mocks (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-support (3.4.0)
     rubyntlm (0.3.4)
     thor (0.19.1)
     tins (1.3.0)
@@ -59,4 +64,7 @@ DEPENDENCIES
   multipart-post (~> 2.0)
   rake
   rest-client (~> 1.6.0)
-  rspec (~> 2.4.0)
+  rspec (~> 3.4)
+
+BUNDLED WITH
+   1.10.6

data/gemfiles/rails_30.gemfile

@@ -6,4 +6,4 @@ gem "actionpack", "~> 3.0.20"
 gem "activeresource", "~> 3.0.20"
 gem "activesupport", "~> 3.0.20"
 
-gemspec :path=>"../"
+gemspec :path => "../"

data/gemfiles/rails_30.gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ../
   specs:
-    api-auth (1.3.2)
+    api-auth (1.4.0)
 
 GEM
   remote: https://rubygems.org/
@@ -33,7 +33,7 @@ GEM
       thor (>= 0.14.0)
     builder (2.1.2)
     curb (0.8.6)
-    diff-lcs (1.1.3)
+    diff-lcs (1.2.5)
     erubis (2.6.6)
       abstract (>= 1.0.0)
     faraday (0.9.1)
@@ -52,14 +52,19 @@ GEM
     rake (10.3.1)
     rest-client (1.6.7)
       mime-types (>= 1.16)
-    rspec (2.4.0)
-      rspec-core (~> 2.4.0)
-      rspec-expectations (~> 2.4.0)
-      rspec-mocks (~> 2.4.0)
-    rspec-core (2.4.0)
-    rspec-expectations (2.4.0)
-      diff-lcs (~> 1.1.2)
-    rspec-mocks (2.4.0)
+    rspec (3.4.0)
+      rspec-core (~> 3.4.0)
+      rspec-expectations (~> 3.4.0)
+      rspec-mocks (~> 3.4.0)
+    rspec-core (3.4.0)
+      rspec-support (~> 3.4.0)
+    rspec-expectations (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-mocks (3.4.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.4.0)
+    rspec-support (3.4.0)
     rubyntlm (0.3.4)
     thor (0.19.1)
     tins (1.3.0)
@@ -81,4 +86,7 @@ DEPENDENCIES
   multipart-post (~> 2.0)
   rake
   rest-client (~> 1.6.0)
-  rspec (~> 2.4.0)
+  rspec (~> 3.4)
+
+BUNDLED WITH
+   1.10.6