pusher-signature 0.1.8

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: d5da8362f6b4bc56675ed04e37fd83224c0c559e
+  data.tar.gz: 998d3fe87151b510e506dc169217be6c9ead9d96
+SHA512:
+  metadata.gz: e978ecc1590582051b005131501bb3a023eaaff387409ff04d63b4290b59b6c158d2bda092da0da22d3336d97204f96b25b8bb42c84872a369df5a044d2f4988
+  data.tar.gz: 65d3754c8ed90c2dd0bcb9945215ed07a60777f95ac8f01aeae6a09f5de56393f2026ec5b74389b02a3e33e9b236fb5762ac0ec1c5f6287b841b683ec00ddd21

data/.gitignore

@@ -0,0 +1,23 @@
+## MAC OS
+.DS_Store
+
+## TEXTMATE
+*.tmproj
+tmtags
+
+## EMACS
+*~
+\#*
+.\#*
+
+## VIM
+*.swp
+
+## PROJECT::GENERAL
+coverage
+rdoc
+pkg
+
+## PROJECT::SPECIFIC
+.rbx
+.rspec

data/.travis.yml

@@ -0,0 +1,18 @@
+language: ruby
+rvm:
+  - 1.8.7
+  - 1.9.2
+  - 1.9.3
+  - 2.0.0
+  - jruby-18mode
+  - jruby-19mode
+  - rbx-18mode
+  - rbx-19mode
+matrix:
+  allow_failures:
+    - rvm: jruby-18mode
+    - rvm: jruby-19mode
+    - rvm: rbx-18mode
+    - rvm: rbx-19mode
+
+script: bundle exec rspec spec

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+
+0.1.8 / 2015-01-16
+==================
+
+  * SECURITY: Perform constant time string comparison when validating signatures

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,35 @@
+PATH
+  remote: .
+  specs:
+    pusher-signature (0.1.8)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    bacon (1.2.0)
+    diff-lcs (1.2.5)
+    em-spec (0.2.6)
+      bacon
+      eventmachine
+      rspec (> 2.6.0)
+      test-unit
+    eventmachine (1.0.8)
+    power_assert (0.2.4)
+    rspec (2.13.0)
+      rspec-core (~> 2.13.0)
+      rspec-expectations (~> 2.13.0)
+      rspec-mocks (~> 2.13.0)
+    rspec-core (2.13.1)
+    rspec-expectations (2.13.0)
+      diff-lcs (>= 1.1.3, < 2.0)
+    rspec-mocks (2.13.1)
+    test-unit (3.1.4)
+      power_assert
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  em-spec (= 0.2.6)
+  pusher-signature!
+  rspec (= 2.13.0)

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2010 Martyn Loughran, 2015 Pusher Ltd
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,67 @@
+pusher-signature
+=========
+
+[![Build Status](https://secure.travis-ci.org/pusher/pusher-signature.png?branch=master)](http://travis-ci.org/pusher/pusher-signature)
+
+This gem is a fork of the [signature](https://github.com/mloughran/signature) gem, written by [Martyn Loughran](https://github.com/mloughran). It has now been released as a separate gem to resolve namespace collisions.
+
+Examples
+--------
+
+Client example
+
+```ruby
+params       = {:some => 'parameters'}
+token        = Pusher::Signature::Token.new('my_key', 'my_secret')
+request      = Pusher::Signature::Request.new('POST', '/api/thing', params)
+auth_hash    = request.sign(token)
+query_params = params.merge(auth_hash)
+
+HTTParty.post('http://myservice/api/thing', {
+  :body => query_params
+})
+```
+
+`query_params` looks like:
+
+```ruby
+{
+  :some           => "parameters",
+  :auth_timestamp => 1273231888,
+  :auth_signature => "28b6bb0f242f71064916fad6ae463fe91f5adc302222dfc02c348ae1941eaf80",
+  :auth_version   => "1.0",
+  :auth_key       => "my_key"
+}
+
+```
+Server example (sinatra)
+
+```ruby
+error Pusher::Signature::AuthenticationError do |controller|
+  error = controller.env["sinatra.error"]
+  halt 401, "401 UNAUTHORIZED: #{error.message}\n"
+end
+
+post '/api/thing' do
+  request = Pusher::Signature::Request.new('POST', env["REQUEST_PATH"], params)
+  # This will raise a Signature::AuthenticationError if request does not authenticate
+  token = request.authenticate do |key|
+    Pusher::Signature::Token.new(key, lookup_secret(key))
+  end
+
+  # Do whatever you need to do
+end
+```
+
+Developing
+----------
+
+    bundle
+    bundle exec rspec spec/*_spec.rb
+
+Please see the travis status for a list of rubies tested against
+
+Copyright
+---------
+
+Copyright (c) 2010 Martyn Loughran, 2015 Pusher Ltd. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,2 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks

data/lib/pusher-signature.rb

@@ -0,0 +1 @@
+require 'pusher/signature'

data/lib/pusher/signature.rb

@@ -0,0 +1,234 @@
+require 'openssl'
+
+require 'pusher/signature/query_encoder'
+
+module Pusher
+  module Signature
+    class AuthenticationError < RuntimeError; end
+
+    class Token
+      attr_reader :key, :secret
+
+      def initialize(key, secret)
+        @key, @secret = key, secret
+      end
+
+      def sign(request)
+        request.sign(self)
+      end
+    end
+
+    class Request
+      attr_accessor :path, :query_hash
+
+      include QueryEncoder
+
+      # http://www.w3.org/TR/NOTE-datetime
+      ISO8601 = "%Y-%m-%dT%H:%M:%SZ"
+
+      def initialize(method, path, query)
+        raise ArgumentError, "Expected string" unless path.kind_of?(String)
+        raise ArgumentError, "Expected hash" unless query.kind_of?(Hash)
+
+        query_hash = {}
+        auth_hash = {}
+        query.each do |key, v|
+          k = key.to_s.downcase
+          k[0..4] == 'auth_' ? auth_hash[k] = v : query_hash[k] = v
+        end
+
+        @method = method.upcase
+        @path, @query_hash, @auth_hash = path, query_hash, auth_hash
+        @signed = false
+      end
+
+      # Sign the request with the given token, and return the computed
+      # authentication parameters
+      #
+      def sign(token)
+        @auth_hash = {
+          :auth_version => "1.0",
+          :auth_key => token.key,
+          :auth_timestamp => Time.now.to_i.to_s
+        }
+        @auth_hash[:auth_signature] = signature(token)
+
+        @signed = true
+
+        return @auth_hash
+      end
+
+      # Authenticates the request with a token
+      #
+      # Raises an AuthenticationError if the request is invalid.
+      # AuthenticationError exception messages are designed to be exposed to API
+      # consumers, and should help them correct errors generating signatures
+      #
+      # Timestamp: Unless timestamp_grace is set to nil (which allows this check
+      # to be skipped), AuthenticationError will be raised if the timestamp is
+      # missing or further than timestamp_grace period away from the real time
+      # (defaults to 10 minutes)
+      #
+      # Signature: Raises AuthenticationError if the signature does not match
+      # the computed HMAC. The error contains a hint for how to sign.
+      #
+      def authenticate_by_token!(token, timestamp_grace = 600)
+        # Validate that your code has provided a valid token. This does not
+        # raise an AuthenticationError since passing tokens with empty secret is
+        # a code error which should be fixed, not reported to the API's consumer
+        if token.secret.nil? || token.secret.empty?
+          raise "Provided token is missing secret"
+        end
+
+        validate_version!
+        validate_timestamp!(timestamp_grace)
+        validate_signature!(token)
+        true
+      end
+
+      # Authenticate the request with a token, but rather than raising an
+      # exception if the request is invalid, simply returns false
+      #
+      def authenticate_by_token(token, timestamp_grace = 600)
+        authenticate_by_token!(token, timestamp_grace)
+      rescue AuthenticationError
+        false
+      end
+
+      # Authenticate a request
+      #
+      # Takes a block which will be called with the auth_key from the request,
+      # and which should return a Signature::Token (or nil if no token can be
+      # found for the key)
+      #
+      # Raises errors in the same way as authenticate_by_token!
+      #
+      def authenticate(timestamp_grace = 600)
+        raise ArgumentError, "Block required" unless block_given?
+        key = @auth_hash['auth_key']
+        raise AuthenticationError, "Missing parameter: auth_key" unless key
+        token = yield key
+        unless token
+          raise AuthenticationError, "Unknown auth_key"
+        end
+        authenticate_by_token!(token, timestamp_grace)
+        return token
+      end
+
+      # Authenticate a request asynchronously
+      #
+      # This method is useful it you're running a server inside eventmachine and
+      # need to lookup the token asynchronously.
+      #
+      # The block is passed an auth key and a deferrable which should succeed
+      # with the token, or fail if the token cannot be found
+      #
+      # This method returns a deferrable which succeeds with the valid token, or
+      # fails with an AuthenticationError which can be used to pass the error
+      # back to the user
+      #
+      def authenticate_async(timestamp_grace = 600)
+        raise ArgumentError, "Block required" unless block_given?
+        df = EM::DefaultDeferrable.new
+
+        key = @auth_hash['auth_key']
+
+        unless key
+          df.fail(AuthenticationError.new("Missing parameter: auth_key"))
+          return
+        end
+
+        token_df = yield key
+        token_df.callback { |token|
+          begin
+            authenticate_by_token!(token, timestamp_grace)
+            df.succeed(token)
+          rescue AuthenticationError => e
+            df.fail(e)
+          end
+        }
+        token_df.errback {
+          df.fail(AuthenticationError.new("Unknown auth_key"))
+        }
+      ensure
+        return df
+      end
+
+      # Expose the authentication parameters for a signed request
+      #
+      def auth_hash
+        raise "Request not signed" unless @signed
+        @auth_hash
+      end
+
+      # Query parameters merged with the computed authentication parameters
+      #
+      def signed_params
+        @query_hash.merge(auth_hash)
+      end
+
+      private
+
+        def signature(token)
+          digest = OpenSSL::Digest::SHA256.new
+          OpenSSL::HMAC.hexdigest(digest, token.secret, string_to_sign)
+        end
+
+        def string_to_sign
+          [@method, @path, parameter_string].join("\n")
+        end
+
+        def parameter_string
+          param_hash = @query_hash.merge(@auth_hash || {})
+
+          # Convert keys to lowercase strings
+          hash = {}; param_hash.each { |k,v| hash[k.to_s.downcase] = v }
+
+          # Exclude signature from signature generation!
+          hash.delete("auth_signature")
+
+          hash.sort.map do |k, v|
+            QueryEncoder.encode_param_without_escaping(k, v)
+          end.join('&')
+        end
+
+        def validate_version!
+          version = @auth_hash["auth_version"]
+          raise AuthenticationError, "Version required" unless version
+          raise AuthenticationError, "Version not supported" unless version == '1.0'
+        end
+
+        def validate_timestamp!(grace)
+          return true if grace.nil?
+
+          timestamp = @auth_hash["auth_timestamp"]
+          error = (timestamp.to_i - Time.now.to_i).abs
+          raise AuthenticationError, "Timestamp required" unless timestamp
+          if error >= grace
+            raise AuthenticationError, "Timestamp expired: Given timestamp "\
+              "(#{Time.at(timestamp.to_i).utc.strftime(ISO8601)}) "\
+              "not within #{grace}s of server time "\
+              "(#{Time.now.utc.strftime(ISO8601)})"
+          end
+          return true
+        end
+
+        def validate_signature!(token)
+          unless identical? @auth_hash["auth_signature"], signature(token)
+            raise AuthenticationError, "Invalid signature: you should have "\
+              "sent HmacSHA256Hex(#{string_to_sign.inspect}, your_secret_key)"\
+              ", but you sent #{@auth_hash["auth_signature"].inspect}"
+          end
+          return true
+        end
+
+        # Constant time string comparison
+        def identical?(a, b)
+          return true if a.nil? && b.nil?
+          return false if a.nil? || b.nil?
+          return false unless a.bytesize == b.bytesize
+          a.bytes.zip(b.bytes).reduce(0) { |memo, (a, b)| memo += a ^ b } == 0
+        end
+    end
+  end
+end

data/lib/pusher/signature/query_encoder.rb

@@ -0,0 +1,49 @@
+module Pusher
+  module Signature
+    # Query string encoding extracted with thanks from em-http-request
+    module QueryEncoder
+      class << self
+        # URL encodes query parameters:
+        # single k=v, or a URL encoded array, if v is an array of values
+        def encode_param(k, v)
+          if v.is_a?(Array)
+            v.map { |e| escape(k) + "[]=" + escape(e) }.join("&")
+          else
+            escape(k) + "=" + escape(v)
+          end
+        end
+
+        # Like encode_param, but doesn't url escape keys or values
+        def encode_param_without_escaping(k, v)
+          if v.is_a?(Array)
+            v.map { |e| k + "[]=" + e }.join("&")
+          else
+            "#{k}=#{v}"
+          end
+        end
+
+        private
+
+        def escape(s)
+          if defined?(EscapeUtils)
+            EscapeUtils.escape_url(s.to_s)
+          else
+            s.to_s.gsub(/([^a-zA-Z0-9_.-]+)/n) {
+              '%'+$1.unpack('H2'*bytesize($1)).join('%').upcase
+            }
+          end
+        end
+
+        if ''.respond_to?(:bytesize)
+          def bytesize(string)
+            string.bytesize
+          end
+        else
+          def bytesize(string)
+            string.size
+          end
+        end
+      end
+    end
+  end
+end

data/lib/pusher/signature/version.rb

@@ -0,0 +1,5 @@
+module Pusher
+  module Signature
+    VERSION = "0.1.8"
+  end
+end

data/pusher-signature.gemspec

@@ -0,0 +1,24 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "pusher/signature/version"
+
+Gem::Specification.new do |s|
+  s.name        = "pusher-signature"
+  s.version     = Pusher::Signature::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ["Martyn Loughran", "Pusher Ltd"]
+  s.email       = ["me@mloughran.com", "support@pusher.com"]
+  s.homepage    = "http://github.com/pusher/pusher-signature"
+  s.summary     = %q{Simple key/secret based authentication for apis}
+  s.description = %q{Simple key/secret based authentication for apis}
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+  s.license = 'MIT'
+
+  s.add_dependency "jruby-openssl" if defined?(JRUBY_VERSION)
+  s.add_development_dependency "rspec", "= 2.13.0"
+  s.add_development_dependency "em-spec", "= 0.2.6"
+end

data/spec/signature_spec.rb

@@ -0,0 +1,285 @@
+require File.expand_path('../spec_helper', __FILE__)
+
+describe Pusher::Signature do
+  before :each do
+    Time.stub!(:now).and_return(Time.at(1234))
+
+    @token = Pusher::Signature::Token.new('key', 'secret')
+
+    @request = Pusher::Signature::Request.new('POST', '/some/path', {
+      "query" => "params",
+      "go" => "here"
+    })
+  end
+
+  describe "generating signatures" do
+    before :each do
+      @signature = "3b237953a5ba6619875cbb2a2d43e8da9ef5824e8a2c689f6284ac85bc1ea0db"
+    end
+
+    it "should generate signature correctly" do
+      @request.sign(@token)
+      string = @request.send(:string_to_sign)
+      string.should == "POST\n/some/path\nauth_key=key&auth_timestamp=1234&auth_version=1.0&go=here&query=params"
+
+      digest = OpenSSL::Digest::SHA256.new
+      signature = OpenSSL::HMAC.hexdigest(digest, @token.secret, string)
+      signature.should == @signature
+    end
+
+    it "should make auth_hash available after request is signed" do
+      @request.query_hash = {
+        "query" => "params"
+      }
+      lambda {
+        @request.auth_hash
+      }.should raise_error('Request not signed')
+
+      @request.sign(@token)
+      @request.auth_hash.should == {
+        :auth_signature => "da078fcedd72941b6c873caa40d0d6b2000ebfc700cee802b128dd20f72e74e9",
+        :auth_version => "1.0",
+        :auth_key => "key",
+        :auth_timestamp => '1234'
+      }
+    end
+
+    it "should cope with symbol keys" do
+      @request.query_hash = {
+        :query => "params",
+        :go => "here"
+      }
+      @request.sign(@token)[:auth_signature].should == @signature
+    end
+
+    it "should cope with upcase keys (keys are lowercased before signing)" do
+      @request.query_hash = {
+        "Query" => "params",
+        "GO" => "here"
+      }
+      @request.sign(@token)[:auth_signature].should == @signature
+    end
+
+    it "should generate correct string when query hash contains array" do
+      @request.query_hash = {
+        "things" => ["thing1", "thing2"]
+      }
+      @request.send(:string_to_sign).should == "POST\n/some/path\nthings[]=thing1&things[]=thing2"
+    end
+
+    # This may well change in auth version 2
+    it "should not escape keys or values in the query string" do
+      @request.query_hash = {
+        "key;" => "value@"
+      }
+      @request.send(:string_to_sign).should == "POST\n/some/path\nkey;=value@"
+    end
+
+    it "should cope with requests where the value is nil (antiregression)" do
+      @request.query_hash = {
+        "key" => nil
+      }
+      @request.send(:string_to_sign).should == "POST\n/some/path\nkey="
+    end
+
+    it "should use the path to generate signature" do
+      @request.path = '/some/other/path'
+      @request.sign(@token)[:auth_signature].should_not == @signature
+    end
+
+    it "should use the query string keys to generate signature" do
+      @request.query_hash = {
+        "other" => "query"
+      }
+      @request.sign(@token)[:auth_signature].should_not == @signature
+    end
+
+    it "should use the query string values to generate signature" do
+      @request.query_hash = {
+        "key" => "notfoo",
+        "other" => 'bar'
+      }
+      @request.sign(@token)[:signature].should_not == @signature
+    end
+  end
+
+  describe "verification" do
+    before :each do
+      @request.sign(@token)
+      @params = @request.signed_params
+    end
+
+    it "should verify requests" do
+      request = Pusher::Signature::Request.new('POST', '/some/path', @params)
+      request.authenticate_by_token(@token).should == true
+    end
+
+    it "should raise error if signature is not correct" do
+      @params[:auth_signature] =  'asdf'
+      request = Pusher::Signature::Request.new('POST', '/some/path', @params)
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error('Invalid signature: you should have sent HmacSHA256Hex("POST\n/some/path\nauth_key=key&auth_timestamp=1234&auth_version=1.0&go=here&query=params", your_secret_key), but you sent "asdf"')
+    end
+
+    it "should raise error if timestamp not available" do
+      @params.delete(:auth_timestamp)
+      request = Pusher::Signature::Request.new('POST', '/some/path', @params)
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error('Timestamp required')
+    end
+
+    it "should raise error if timestamp has expired (default of 600s)" do
+      request = Pusher::Signature::Request.new('POST', '/some/path', @params)
+      Time.stub!(:now).and_return(Time.at(1234 + 599))
+      request.authenticate_by_token!(@token).should == true
+      Time.stub!(:now).and_return(Time.at(1234 - 599))
+      request.authenticate_by_token!(@token).should == true
+      Time.stub!(:now).and_return(Time.at(1234 + 600))
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error("Timestamp expired: Given timestamp (1970-01-01T00:20:34Z) not within 600s of server time (1970-01-01T00:30:34Z)")
+      Time.stub!(:now).and_return(Time.at(1234 - 600))
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error("Timestamp expired: Given timestamp (1970-01-01T00:20:34Z) not within 600s of server time (1970-01-01T00:10:34Z)")
+    end
+
+    it "should be possible to customize the timeout grace period" do
+      grace = 10
+      request = Pusher::Signature::Request.new('POST', '/some/path', @params)
+      Time.stub!(:now).and_return(Time.at(1234 + grace - 1))
+      request.authenticate_by_token!(@token, grace).should == true
+      Time.stub!(:now).and_return(Time.at(1234 + grace))
+      lambda {
+        request.authenticate_by_token!(@token, grace)
+      }.should raise_error("Timestamp expired: Given timestamp (1970-01-01T00:20:34Z) not within 10s of server time (1970-01-01T00:20:44Z)")
+    end
+
+    it "should be possible to skip timestamp check by passing nil" do
+      request = Pusher::Signature::Request.new('POST', '/some/path', @params)
+      Time.stub!(:now).and_return(Time.at(1234 + 1000))
+      request.authenticate_by_token!(@token, nil).should == true
+    end
+
+    it "should check that auth_version is supplied" do
+      @params.delete(:auth_version)
+      request = Pusher::Signature::Request.new('POST', '/some/path', @params)
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error('Version required')
+    end
+
+    it "should check that auth_version equals 1.0" do
+      @params[:auth_version] = '1.1'
+      request = Pusher::Signature::Request.new('POST', '/some/path', @params)
+      lambda {
+        request.authenticate_by_token!(@token)
+      }.should raise_error('Version not supported')
+    end
+
+    it "should validate that the provided token has a non-empty secret" do
+      token = Pusher::Signature::Token.new('key', '')
+      request = Pusher::Signature::Request.new('POST', '/some/path', @params)
+
+      lambda {
+        request.authenticate_by_token!(token)
+      }.should raise_error('Provided token is missing secret')
+    end
+
+    describe "when used with optional block" do
+      it "should optionally take a block which yields the signature" do
+        request = Pusher::Signature::Request.new('POST', '/some/path', @params)
+        request.authenticate do |key|
+          key.should == @token.key
+          @token
+        end.should == @token
+      end
+
+      it "should raise error if no auth_key supplied to request" do
+        @params.delete(:auth_key)
+        request = Pusher::Signature::Request.new('POST', '/some/path', @params)
+        lambda {
+          request.authenticate { |key| nil }
+        }.should raise_error('Missing parameter: auth_key')
+      end
+
+      it "should raise error if block returns nil (i.e. key doesn't exist)" do
+        request = Pusher::Signature::Request.new('POST', '/some/path', @params)
+        lambda {
+          request.authenticate { |key| nil }
+        }.should raise_error('Unknown auth_key')
+      end
+
+      it "should raise unless block given" do
+        request = Pusher::Signature::Request.new('POST', '/some/path', @params)
+        lambda {
+          request.authenticate
+        }.should raise_error(ArgumentError, "Block required")
+      end
+    end
+
+    describe "authenticate_async" do
+      include EM::SpecHelper
+      default_timeout 1
+
+      it "returns a deferrable which succeeds if authentication passes" do
+        request = Pusher::Signature::Request.new('POST', '/some/path', @params)
+        em {
+          df = EM::DefaultDeferrable.new
+
+          request_df = request.authenticate_async do |key|
+            df
+          end
+
+          df.succeed(@token)
+
+          request_df.callback { |token|
+            token.should == @token
+            done
+          }
+        }
+      end
+
+      it "returns a deferrable which fails if block df fails" do
+        request = Pusher::Signature::Request.new('POST', '/some/path', @params)
+        em {
+          df = EM::DefaultDeferrable.new
+
+          request_df = request.authenticate_async do |key|
+            df
+          end
+
+          df.fail()
+
+          request_df.errback { |e|
+            e.class.should == Pusher::Signature::AuthenticationError
+            e.message.should == 'Unknown auth_key'
+            done
+          }
+        }
+      end
+
+      it "returns a deferrable which fails if request does not validate" do
+        request = Pusher::Signature::Request.new('POST', '/some/path', @params)
+        em {
+          df = EM::DefaultDeferrable.new
+
+          request_df = request.authenticate_async do |key|
+            df
+          end
+
+          token = Pusher::Signature::Token.new('key', 'wrong_secret')
+          df.succeed(token)
+
+          request_df.errback { |e|
+            e.class.should == Pusher::Signature::AuthenticationError
+            e.message.should =~ /Invalid signature/
+            done
+          }
+        }
+      end
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,9 @@
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+require 'pusher-signature'
+
+require 'rspec'
+require 'em-spec/rspec'
+
+RSpec.configure do |config|
+
+end

metadata

@@ -0,0 +1,91 @@
+--- !ruby/object:Gem::Specification
+name: pusher-signature
+version: !ruby/object:Gem::Version
+  version: 0.1.8
+platform: ruby
+authors:
+- Martyn Loughran
+- Pusher Ltd
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-09-29 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.13.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.13.0
+- !ruby/object:Gem::Dependency
+  name: em-spec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.2.6
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.2.6
+description: Simple key/secret based authentication for apis
+email:
+- me@mloughran.com
+- support@pusher.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- CHANGELOG.md
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- lib/pusher-signature.rb
+- lib/pusher/signature.rb
+- lib/pusher/signature/query_encoder.rb
+- lib/pusher/signature/version.rb
+- pusher-signature.gemspec
+- spec/signature_spec.rb
+- spec/spec_helper.rb
+homepage: http://github.com/pusher/pusher-signature
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.8
+signing_key: 
+specification_version: 4
+summary: Simple key/secret based authentication for apis
+test_files:
+- spec/signature_spec.rb
+- spec/spec_helper.rb