rack-simple_auth 0.0.6 → 0.0.7

checksums.yaml

@@ -1,7 +1,7 @@
---- 
-SHA1: 
-  metadata.gz: 9821660c1ff4703956f11cd39f67f3a09f98a9ad
-  data.tar.gz: 6cab22a6d00d70e62411e28ec042def714c347d3
-SHA512: 
-  metadata.gz: 84068e6c7c66de24a364c6cc607c01ec65ec7d9ade78c8a7d3ab6a720b324084b73a3c0aa472afb7706b4ae510e82f5e8b63c160df94d4bfe1fb526e19eac491
-  data.tar.gz: 4fed2416ba52add9e396e692a12c327d78f238d97fbf9829b496d8ff330e2b55313d3ea78780227b053626a6b1b4ce9f8c85ce371d6d891d8819d64d115152b6
+---
+SHA1:
+  metadata.gz: 20e26bae6761147bd84d107005488530f5ecf65e
+  data.tar.gz: 405bff87cf1a3a7b3df20db785529b8ef89f78da
+SHA512:
+  metadata.gz: 66df96dde2d25ccc0bd4ba392fcb9b28b41f6d43b5a2fca3a1c1710d953fa93295f6623b4db0cdb6f0056fa8e774a0cee51f1987d6eb1fc37ab5fc37a148a50c
+  data.tar.gz: a8736e1d82e10b4ac39e41c6adf06831fc448615599e98b145b7ca5ee1945c636289da8648e557fce0e7c422e25104daf35abe5f4939a1a9e6cf07c3a3a2129f

data/README.md

@@ -34,10 +34,12 @@ Or install it yourself as:
 
 HMAC should be used for communication between website backend and api server/controller/whatever..
 
-For usage between Server <-> Client a sniffer could easily extract the signature/public key and 
-the encrypted message which is for now the same for the same request (see TODO implement timestamp).
+~~For usage between Server <-> Client a sniffer could easily extract the signature/public key and 
+the encrypted message which is for now the same for the same request (see TODO implement timestamp).~~
 
-With these 2 informations a "secure" backend could be easily seen public...
+~~With these 2 informations a "secure" backend could be easily seen public...~~
+
+In version 0.0.5 the timestamp has been added to the msg which will be encrypted, also the possibility to configure the allowed delay a request can have has been added.
 
 Uses Authorization HTTP Header, example:
 ```Authorization: MessageHash:Signature```
@@ -54,6 +56,7 @@ config = {
   'DELETE' => 'path',
   'PUT' => 'path',
   'PATCH' => 'path'
+  'tolerance' => 2
 }
 
 map '/' do
@@ -65,6 +68,7 @@ end
 Note: Private Key and Signature should be served by a file which is not checked into git version control.
 
 
+
 #### Config Hash
 
 Via the config hash you are able to define the 'data' for each request method.<br />
@@ -82,6 +86,19 @@ The Message what will be HMAC encrypted is:
 message = { 'method' => 'GET', 'data' => '/get/user?name=rack' }.to_json
 ```
 
+In Version 0.0.5 the timestamp has been added to the Message.
+
+The new Message which will be encrypted looks like this:
+
+```ruby
+message = { 'method' => 'GET', 'date' => Time.now.to_i +- delay range, 'data' => '/get/user?name=rack }.to_json
+```
+
+The tolerance which is configureable in the config hash sets the possible delay a request could have and still will be authorized.
+
+Notice: For a set tolerance a Encrypted Message array will be generated and compared with the MessageHash from the AUTH Header
+
+
 #### Logging
 
 With the 4th parameter for Rack::SimpleAuth::HMAC you can define a destination where the internal #log method should write to.
@@ -96,13 +113,16 @@ It contains following information:
 - The Signature which was expected
 
 
+
 ## TODO 
 
-Add Timestamp to encryption..
+~~Add Timestamp to encryption..~~
+
+~~For now a sniffer could track a successfull request to the server and extract the HTTP_AUTHORIZATION HEADER for this request.~~
+
+~~He got the encrypted message for the specific request && signature -> No security anymore...~~
 
-For now a sniffer could track a successfull request to the server and extract the HTTP_AUTHORIZATION HEADER for this request.
 
-He got the encrypted message for the specific request && signature -> No security anymore...
 
 ## Contributing
 
@@ -116,3 +136,7 @@ He got the encrypted message for the specific request && signature -> No securit
 
 
 
+
+
+
+

data/lib/rack/simple_auth/hmac.rb

@@ -60,14 +60,15 @@ module Rack
         hash_array = []
 
         (-(@tolerance)..@tolerance).each do |i|
-          hash_array << OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, message(request, i))
+          hash_array << OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), @secret, message(request, i))
         end
 
         hash_array
       end
 
-      # Get Message for current Request
+      # Get Message for current Request and delay
       # @param [Rack::Request] request [current Request]
+      # @param [Fixnum] delay [delay in timestamp format]
       # @return [Hash] message [message which will be encrypted]
       def message(request, delay = 0)
         date = Time.now.to_i + delay
@@ -122,7 +123,7 @@ module Rack
         end
       end
 
-      private :log, :request_data, :message, :valid?
+      private :log, :request_data, :message, :valid?, :build_allowed_messages
     end
   end
 end

data/lib/rack/simple_auth/version.rb

@@ -2,6 +2,6 @@ module Rack
   # Module which Contains different Authorization / Authentication Classes (HMAC, ..)
   module SimpleAuth
     # Current Gem Version
-    VERSION = '0.0.6'
+    VERSION = '0.0.7'
   end
 end

data/test/rack/simple_auth/hmac_fail_test.rb

@@ -14,13 +14,13 @@ class HMACFailTest < MiniTest::Unit::TestCase
   end
 
   def test_fail
-  	uri = '/'
+    uri = '/'
     content = { 'method' => 'GET', 'data' => uri }.to_json
-    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, content)
+    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), @secret, content)
 
     assert_raises(RuntimeError) { get uri, {}, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}" }
   end
 
   def teardown
   end
-end
+end

data/test/rack/simple_auth/hmac_test.rb

@@ -26,7 +26,7 @@ class HMACTest < MiniTest::Unit::TestCase
   def test_get_with_right_auth_header
     uri = '/'
     message = { 'method' => 'GET', 'date' => Time.now.to_i, 'data' => uri }.to_json
-    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, message)
+    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), @secret, message)
 
     get uri, {}, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}"
 
@@ -36,7 +36,7 @@ class HMACTest < MiniTest::Unit::TestCase
   def test_get_with_delay_in_tolerance_range
     uri = '/'
     message = { 'method' => 'GET', 'date' => Time.now.to_i - 2, 'data' => uri }.to_json
-    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, message)
+    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), @secret, message)
 
     get uri, {}, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}"
 
@@ -46,7 +46,7 @@ class HMACTest < MiniTest::Unit::TestCase
   def test_get_with_too_big_delay
     uri = '/'
     message = { 'method' => 'GET', 'date' => Time.now.to_i - 50, 'data' => uri }.to_json
-    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, message)
+    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), @secret, message)
 
     get uri, {}, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}"
 
@@ -61,7 +61,7 @@ class HMACTest < MiniTest::Unit::TestCase
   def test_post_with_right_auth_header
     params = { 'name' => 'Bensn' }
     message = { 'method' => 'POST', 'date' => Time.now.to_i, 'data' => params }.to_json
-    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, message)
+    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), @secret, message)
 
     post '/', params, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}"
 
@@ -76,7 +76,7 @@ class HMACTest < MiniTest::Unit::TestCase
   def test_delete_with_right_auth_header
     uri = '/'
     message = { 'method' => 'DELETE', 'date' => Time.now.to_i, 'data' => uri }.to_json
-    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, message)
+    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), @secret, message)
 
     delete uri, {}, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}"
 
@@ -91,7 +91,7 @@ class HMACTest < MiniTest::Unit::TestCase
   def test_put_with_right_auth_header
     uri = '/'
     message = { 'method' => 'PUT', 'date' => Time.now.to_i, 'data' => uri }.to_json
-    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, message)
+    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), @secret, message)
 
     put uri, {}, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}"
 
@@ -106,7 +106,7 @@ class HMACTest < MiniTest::Unit::TestCase
   def test_patch_with_right_auth_header
     uri = '/'
     message = { 'method' => 'PATCH', 'date' => Time.now.to_i, 'data' => uri }.to_json
-    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new('sha256'), @secret, message)
+    hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), @secret, message)
 
     patch uri, {}, 'HTTP_AUTHORIZATION' => "#{hash}:#{@signature}"
 

metadata

@@ -1,75 +1,96 @@
---- !ruby/object:Gem::Specification 
+--- !ruby/object:Gem::Specification
 name: rack-simple_auth
-version: !ruby/object:Gem::Version 
-  version: 0.0.6
+version: !ruby/object:Gem::Version
+  version: 0.0.7
 platform: ruby
-authors: 
+authors:
 - Benny1992
 autorequire: 
 bindir: bin
 cert_chain: []
-
-date: 2014-03-16 00:00:00 Z
-dependencies: 
-- !ruby/object:Gem::Dependency 
+date: 2014-03-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
   name: rack
-  prerelease: false
-  requirement: &id001 !ruby/object:Gem::Requirement 
-    requirements: 
-    - &id003 
-      - ">="
-      - !ruby/object:Gem::Version 
-        version: "0"
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :runtime
-  version_requirements: *id001
-- !ruby/object:Gem::Dependency 
-  name: bundler
   prerelease: false
-  requirement: &id002 !ruby/object:Gem::Requirement 
-    requirements: 
-    - - ~>
-      - !ruby/object:Gem::Version 
-        version: "1.5"
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
   type: :development
-  version_requirements: *id002
-- !ruby/object:Gem::Dependency 
-  name: rake
   prerelease: false
-  requirement: &id004 !ruby/object:Gem::Requirement 
-    requirements: 
-    - *id003
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.5'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id004
-- !ruby/object:Gem::Dependency 
-  name: coveralls
   prerelease: false
-  requirement: &id005 !ruby/object:Gem::Requirement 
-    requirements: 
-    - *id003
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: coveralls
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id005
-- !ruby/object:Gem::Dependency 
-  name: rack-test
   prerelease: false
-  requirement: &id006 !ruby/object:Gem::Requirement 
-    requirements: 
-    - *id003
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
   type: :development
-  version_requirements: *id006
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: SimpleAuth HMAC authentication
-email: 
+email:
 - klotz.benjamin@yahoo.de
 executables: []
-
 extensions: []
-
 extra_rdoc_files: []
-
-files: 
-- .gitignore
-- .rubocop.yml
-- .travis.yml
-- .yardopts
+files:
+- ".gitignore"
+- ".rubocop.yml"
+- ".travis.yml"
+- ".yardopts"
 - Gemfile
 - LICENSE.txt
 - MANIFEST
@@ -90,28 +111,28 @@ files:
 - test/rack/simple_auth/hmac_test.rb
 - test/test_helper.rb
 homepage: http://www.bennyklotz.at
-licenses: 
+licenses:
 - MIT
 metadata: {}
-
 post_install_message: 
 rdoc_options: []
-
-require_paths: 
+require_paths:
 - lib
-required_ruby_version: !ruby/object:Gem::Requirement 
-  requirements: 
-  - *id003
-required_rubygems_version: !ruby/object:Gem::Requirement 
-  requirements: 
-  - *id003
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
 requirements: []
-
 rubyforge_project: 
 rubygems_version: 2.2.2
 signing_key: 
 specification_version: 4
 summary: SimpleAuth HMAC authentication
 test_files: []
-
 has_rdoc: