rack-url_auth 0.0.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4d876d1b7162d8ca7a0b60d5d9682ba06b28cce3
-  data.tar.gz: b8a4579117bce3c2be5c0e3af3794119974169c8
+  metadata.gz: a72ca23ae12a4e7216c70321800a4381a265f92e
+  data.tar.gz: ff999de6188aeb84d739e7763402de8ce7984022
 SHA512:
-  metadata.gz: 455b084764c70bedc87efb4af97391cfd8d8d4d0a09758bcba711e16165497a51a25787e7dadfc4890b16bc74c1270df9e50e4d290f647134c84651f2dc6ebf3
-  data.tar.gz: 564f4788ce3a5f1be827f4e4e852727762b6572ab7a21b5776ed9b5f2b3e24d700bf7f61e9c4d8af6f0e4d75fb5c4354aab4d3cd09f14adc3894f6315e45001d
+  metadata.gz: 20b8935975cd8a6970b457be30728e909c9a7b25c9c56dc7daee0b9799530a37ed821833da72ec64be833b058380416a2ded57d95c01d5fcb45194201583e7b4
+  data.tar.gz: 5d06158fc1c9f29f45eef0efceb4a2f22bea0982885bb5f4b25a10ab20ea270576439e03ee561c0fde68af76abf60776bf3aadb2a683d9e88093de0e59cfcd2e

data/.gitignore

@@ -1 +1,3 @@
 pkg
+*.swp
+tags

data/Gemfile.lock

@@ -1,24 +1,35 @@
 PATH
   remote: .
   specs:
-    rack-url_auth (0.0.0)
+    rack-url_auth (0.2.0)
+      addressable
+      ruby-hmac
 
 GEM
   remote: https://rubygems.org/
   specs:
-    diff-lcs (1.2.4)
+    addressable (2.5.1)
+      public_suffix (~> 2.0, >= 2.0.2)
+    diff-lcs (1.3)
+    public_suffix (2.0.5)
     rack (1.5.2)
     rack-test (0.6.2)
       rack (>= 1.0)
-    rake (10.0.4)
-    rspec (2.13.0)
-      rspec-core (~> 2.13.0)
-      rspec-expectations (~> 2.13.0)
-      rspec-mocks (~> 2.13.0)
-    rspec-core (2.13.1)
-    rspec-expectations (2.13.0)
-      diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.13.1)
+    rake (12.0.0)
+    rspec (3.6.0)
+      rspec-core (~> 3.6.0)
+      rspec-expectations (~> 3.6.0)
+      rspec-mocks (~> 3.6.0)
+    rspec-core (3.6.0)
+      rspec-support (~> 3.6.0)
+    rspec-expectations (3.6.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.6.0)
+    rspec-mocks (3.6.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.6.0)
+    rspec-support (3.6.0)
+    ruby-hmac (0.4.0)
 
 PLATFORMS
   ruby
@@ -30,3 +41,6 @@ DEPENDENCIES
   rack-url_auth!
   rake
   rspec
+
+BUNDLED WITH
+   1.14.6

data/README.md

@@ -1,6 +1,24 @@
 # Rack::UrlAuth
 
-TODO: Write a gem description
+Rack::UrlAuth is a Rack middleware for HMAC URL authentication.
+
+The most obvious use case would be a service that allows its users to perform
+an action by clicking on an email sent to them, such as activating an
+account, claiming a discount coupon or reseting a password.
+
+The user would receive an email with a link to an url such as:
+`http://example.org/accounts/1/activate?expires=2013-12-12&signature=bf3a53...`
+
+Because any tampering with the query string or any other url component
+can be detected, the service can tell if the person is authorized to
+perform that action.
+
+Keep in mind that **all GET actions should be idempotent**, meaning that
+accessing them every time yields the same result.
+
+Amazon S3, Braintree and may other services use this same principle to
+authenticate requests by either signing the request body or the url.
+
 
 ## Installation
 
@@ -16,9 +34,66 @@ Or install it yourself as:
 
     $ gem install rack-url_auth
 
+
 ## Usage
 
-TODO: Write usage instructions here
+### Rails example
+
+
+```ruby 
+# config/application.rb
+...
+
+module MyApp
+  class Application < Rails::Application
+    config.middleware.use 'Rack::UrlAuth', secret: 'very-long-and-arbitrary-string'
+    ...
+  end
+end
+
+# controllers/application_controller.rb
+class ApplicationController < ActionController::Base
+  ...
+  protected
+  def authenticate_url!
+    unless env['rack.url_auth'].url_authorized?
+      render file: 'public/401', status: 401
+    end
+  end
+
+  def sign_url(url)
+    env['rack.url_auth'].sign_url url
+  end
+end
+
+# controllers/private_stuff_controller.rb
+class PrivateThingsController < ApplicationController
+  before_filter :authenticate_url!, only: :view_private_thing
+
+  def send_authorization
+    signed_url = sign_url(view_private_thing_url(id: params[:id]))
+    ApplicationMailer.
+      private_thing_view_authorization(params[:email], signed_url).
+      deliver
+    ...
+  end
+
+  def view_private_thing
+    # Not for you unless you are authorized ;)
+    @thing = PrivateThing.find(params[:id])
+    ...
+  end
+end
+```
+
+
+## Resources
+
+
+* [Using HMAC to authenticate Web service requests](http://rc3.org/2011/12/02/using-hmac-to-authenticate-web-service-requests/)
+* [Signed Idempotent Action Links](http://www.intridea.com/blog/2012/6/7/signed-idempotent-action-links)
+* [Why you should never use hash functions for message authentication](http://blog.jcoglan.com/2012/06/09/why-you-should-never-use-hash-functions-for-message-authentication/)
+
 
 ## Contributing
 

data/lib/rack/url_auth/proxy.rb

@@ -8,13 +8,18 @@ module Rack
         @signer  = signer
       end
 
-      def url_authorized?
-        signer.verify_url(request.url)
-      end
+      def authorized?
+        method = request.request_method.downcase
+        signature_header = request.env["HTTP_X_SIGNATURE"]
 
-      def sign_url(url)
-        signer.sign_url(url)
+        if !signature_header && request.get? || request.head?
+          signer.verify_url(request.url, method)
+        else
+          body = request.body.read; request.body.rewind
+          signer.verify(method + request.url + body, signature_header)
+        end
       end
     end
+
   end
 end

data/lib/rack/url_auth/signer.rb

@@ -1,3 +1,6 @@
+require 'hmac-sha2'
+require 'addressable'
+
 module Rack
   class UrlAuth
     class Signer
@@ -8,41 +11,42 @@ module Rack
       end
 
       def sign(message)
-        sha1 = OpenSSL::Digest::Digest.new('sha1')
-        OpenSSL::HMAC.hexdigest sha1, secret, message
+        HMAC::SHA256.hexdigest(secret, message)
       end
 
       def verify(message, signature)
-        actual   = Digest::SHA1.hexdigest sign(message)
+        actual = Digest::SHA1.hexdigest sign(message)
         expected = Digest::SHA1.hexdigest signature
         actual == expected
       end
 
-      def sign_url(url)
-        purl  = URI.parse url
-        query = Rack::Utils.parse_query purl.query
-        query.merge! 'signature' => sign(url)
+      def sign_url(url, method)
+        purl, query = parse_and_extract_query(url)
+        normalized = purl.normalize.to_s
+        query['signature'] = sign(method.to_s.downcase + normalized)
 
-        build_url purl, query
+        build_url(purl, query)
       end
 
-      def verify_url(url)
-        purl      = URI.parse url
-        query     = Rack::Utils.parse_query(purl.query)
-        signature = query.delete('signature') or raise MissingSignature
+      def verify_url(url, method)
+        purl, query = parse_and_extract_query(url)
+        signature = query.delete('signature').to_s
+        message = method.to_s.downcase + build_url(purl, query)
 
-        verify build_url(purl, query), signature
+        verify(message, signature)
       end
 
       private
-      def build_url(purl, query)
-        query = Rack::Utils.build_query(query)
-        url = "#{purl.scheme}://#{purl.host}#{':' + purl.port.to_s if purl.port}#{purl.path}"
-        url = "#{url}?#{query}" unless query.empty?
-        url
+
+      def parse_and_extract_query(url)
+        purl = Addressable::URI.parse(url)
+        query = purl.query_values || {}
+        [purl, query]
       end
 
-      class MissingSignature < StandardError
+      def build_url(purl, query)
+        purl.query = Rack::Utils.build_query(query)
+        purl.normalize.to_s
       end
     end
   end

data/lib/rack/url_auth/version.rb

@@ -1,5 +1,5 @@
 module Rack
   class UrlAuth
-    VERSION = "0.0.0"
+    VERSION = "0.2.1"
   end
 end

data/lib/rack/url_auth.rb

@@ -4,16 +4,25 @@ require "rack/url_auth/proxy"
 
 module Rack
   class UrlAuth
-    attr_reader :app, :signer
+    attr_reader :app, :signer, :forward_auth
 
     def initialize(app, opts = {})
-      secret = opts[:secret] or raise(ArgumentError, 'Please provide `secret`')
-      @app, @signer = app, Signer.new(secret)
+      secret = opts[:secret] or
+        raise(ArgumentError, 'Please provide `secret`')
+
+      @app    = app
+      @signer = Signer.new(secret)
+      @forward_auth = !!opts[:forward_auth]
     end
 
     def call(env)
-      env['rack.url_auth'] = Proxy.new(env, signer)
-      @app.call(env)
+      proxy = env['rack.signature_auth'] = Proxy.new(env, signer)
+
+      if !@forward_auth && !proxy.authorized?
+        [403, {}, ['Forbidden']]
+      else
+        @app.call(env)
+      end
     end
   end
 end

data/rack-signed_urls.gemspec

@@ -18,6 +18,9 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ["lib"]
 
+  spec.add_dependency "ruby-hmac"
+  spec.add_dependency "addressable"
+
   spec.add_development_dependency "bundler", "~> 1.3"
   spec.add_development_dependency "rake"
 end

data/spec/middleware_spec.rb

@@ -1,48 +1,88 @@
 require 'spec_helper'
 
-include Rack
+describe Rack::UrlAuth do
+  include Rack::Test::Methods
 
-describe UrlAuth do
-  let(:secret)    { 'my-secretive-secret' }
-  let(:inner_app) { mock('App', call: []) }
+  let(:secret)    { 'secretive-secret' }
+  let(:inner_app) { ->(env){ [200,{},['Hello, world.']] } }
+  let(:app)       { Rack::UrlAuth.new(inner_app, secret: secret) }
 
-  it { UrlAuth::VERSION.should eq '0.0.0' }
+  describe 'instantiation' do
+    it 'requires a secret' do
+      expect { Rack::UrlAuth.new(app) }.to raise_error ArgumentError
+    end
+  end
 
-  describe 'intantiation' do
-    let(:signer) { mock('Signer') }
+  describe 'request without body' do
+    let(:signature) {
+      'b645417491551a215286db40cd3fbdd97c7e2f146b2feb0ae5f32f03537ed343'
+    }
 
-    it 'requires a secret' do
-      expect { UrlAuth.new(inner_app) }.
-        to raise_error(ArgumentError)
+    it 'authorizes request' do
+      get "/index?signature=#{signature}"
+      expect( last_request.env['rack.signature_auth'] ).to be_authorized
     end
 
-    it 'instantiates an signer' do
-      UrlAuth::Signer.
-        should_receive(:new).
-        with(secret).
-        and_return(signer)
+    it 'forbids request if url is tampered' do
+      get "/forbid?signature=#{signature}"
+      expect( last_request.env['rack.signature_auth'] ).not_to be_authorized
+    end
 
-      app = UrlAuth.new(inner_app, secret: secret)
-      app.signer.should be signer
+    it 'forbids request if method is incorrect' do
+      head "/index?signature=#{signature}"
+      expect( last_request.env['rack.signature_auth'] ).not_to be_authorized
     end
   end
 
-  describe 'calling' do
-    let(:app)   { UrlAuth.new(inner_app, secret: secret) }
-    let(:env)   { { path: '/'} }
-    let(:proxy) { mock('Proxy') }
 
-    it 'sets proxy as env variable' do
-      UrlAuth::Proxy.should_receive(:new).
-        with(env, app.signer).and_return(proxy)
+  describe 'request with body' do
+    let(:signature) {
+      'bab5dd78fce9f4fd85c5037466c5a5e22cf67ba14f25005f499ddc7820710475'
+    }
+
+    it 'autorizes request' do
+      header 'X-Signature', signature
+      post '/index', name: 'Macario'
+      expect( last_request.env['rack.signature_auth'] ).to be_authorized
+    end
+
+    it 'forbids request if url is tampered' do
+      header 'X-Signature', signature
+      post '/forbid', name: 'Macario'
+      expect( last_request.env['rack.signature_auth'] ).not_to be_authorized
+    end
+
+    it 'forbids request if body is tampered' do
+      header 'X-Signature', signature
+      post '/index', name: 'Juan'
+      expect( last_request.env['rack.signature_auth'] ).not_to be_authorized
+    end
+
+    it 'forbids request if method is incorrect' do
+      header 'X-Signature', signature
+      put '/index', name: 'Macario'
+      expect( last_request.env['rack.signature_auth'] ).not_to be_authorized
+    end
+  end
+
+  describe 'handling authentication' do
+    context 'not forwarding auth to app' do
+      let(:app) { Rack::UrlAuth.new(inner_app, secret: secret) }
 
-      app.call(env)
-      env['rack.url_auth'].should be proxy
+      it 'returns forbidden status code' do
+        get "/forbid"
+        expect( last_response.status ).to eq 403
+      end
     end
 
-    it 'forwards to app' do
-      inner_app.should_receive(:call).with(env)
-      app.call(env)
+    context 'forwarding auth to app' do
+      let(:app) { Rack::UrlAuth.new(inner_app,
+                                    forward_auth: true, secret: secret) }
+
+      it 'returns forbidden status code' do
+        get "/forbid"
+        expect( last_response.status ).to eq 200
+      end
     end
   end
 end

data/spec/signer_spec.rb

@@ -6,48 +6,64 @@ describe UrlAuth::Signer do
   let(:signer) { UrlAuth::Signer.new('my-secretive-secret') }
 
   describe 'signing and validating messages' do
-    let(:message)          { 'HMAC is fun!!' }
+    let(:message) { 'HMAC is fun!!' }
     let(:tampered_message) { 'HMAC is fun!!!' }
+    let(:signature) { signer.sign message }
 
     it 'signs a messages' do
-      signature = signer.sign message
-      signature.should have(40).characters
-
-      signer.verify(message, signature).should be true
-      signer.verify(tampered_message, signature).should be false
+      expect(signature.size).to eq(64)
+      expect(signer.verify(message, signature)).to be true
+      expect(signer.verify(tampered_message, signature)).to be false
     end
   end
 
   describe 'signed urls' do
-    let(:url)        { 'http://example.com:3000/path?token=1&query=sumething' }
-    let(:signed_url) { signer.sign_url url }
+    let(:url) { 'http://example.com/path?token=1&query=sumething' }
+    let(:signed_url) { signer.sign_url url, 'get' }
 
     it 'appends signature' do
-      signed_url.should match %r{&signature=\w{40}}
+      expect(signed_url).to match %r{&signature=\w{64}}
     end
 
     it 'keeps params' do
-      signed_url.should include '?token=1&query=sumething'
+      expect(signed_url).to include '?token=1&query=sumething'
+    end
+
+    it 'keeps host and path' do
+      expect(signed_url).to match %r{http://example\.com/path}
     end
 
-    it 'keeps port' do
-      signed_url.should match %{^http://example.com:3000}
+    it 'keeps port if different than 80' do
+      signed_url = signer.
+        sign_url 'http://example.com:3000/path?token=1&query=sumething', 'get'
+      expect(signed_url).to match %{^http://example.com:3000}
     end
 
     it 'verifies untampered url' do
-      signer.verify_url(signed_url).should be true
+      expect( signer.verify_url(signed_url, 'get') ).to be true
     end
 
     it 'verifies false if url is tampered' do
-      signer.verify_url(signed_url.sub(/\.com/, '.me')).should       be false
-      signer.verify_url(signed_url.sub('path', 'other-path')).should be false
-      signer.verify_url(signed_url.sub('1', '2')).should             be false
+      expect( signer.verify_url(signed_url.sub(/\.com/, '.me'), 'get') ).
+        to be false
+      expect( signer.verify_url(signed_url.sub('path', 'other-path'), 'get') ).
+        to be false
+      expect( signer.verify_url(signed_url.sub('1', '2'), 'get') ).
+        to be false
+    end
+
+    it 'verifies that the method is correct' do
+      expect( signer.verify_url(signed_url, 'delete') ).to be false
     end
 
     it 'raises error when url is unsigned while verifying url' do
-      lambda do
-        signer.verify_url 'http://example.com'
-      end.should raise_error UrlAuth::Signer::MissingSignature
+      expect(signer.verify_url 'http://example.com', 'get').to be false
+    end
+
+    it 'normalizes url' do
+      signed_url = signer.
+        sign_url 'http://example.com/path?token=點看&query=sumething:else', 'get'
+      expect( signer.verify_url(signed_url, 'get') ).to be true
     end
   end
 end

metadata

@@ -1,41 +1,69 @@
 --- !ruby/object:Gem::Specification
 name: rack-url_auth
 version: !ruby/object:Gem::Version
-  version: 0.0.0
+  version: 0.2.1
 platform: ruby
 authors:
 - macario
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-06-20 00:00:00.000000000 Z
+date: 2017-09-11 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: ruby-hmac
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: addressable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - "~>"
       - !ruby/object:Gem::Version
         version: '1.3'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: Middleware for signing urls
@@ -45,8 +73,8 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
+- ".gitignore"
+- ".rspec"
 - Gemfile
 - Gemfile.lock
 - LICENSE.txt
@@ -58,7 +86,6 @@ files:
 - lib/rack/url_auth/version.rb
 - rack-signed_urls.gemspec
 - spec/middleware_spec.rb
-- spec/proxy_spec.rb
 - spec/signer_spec.rb
 - spec/spec_helper.rb
 homepage: http://github.com/maca/rack-url_auth
@@ -71,23 +98,21 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.0.0.rc.2
+rubygems_version: 2.6.11
 signing_key: 
 specification_version: 4
 summary: Middleware authorizing signed urls, so they can't be tampered
 test_files:
 - spec/middleware_spec.rb
-- spec/proxy_spec.rb
 - spec/signer_spec.rb
 - spec/spec_helper.rb
-has_rdoc: 

data/spec/proxy_spec.rb

@@ -1,40 +0,0 @@
-require 'spec_helper'
-
-include Rack
-
-describe UrlAuth::Proxy do
-  let(:env)    { Rack::MockRequest.env_for('/home?signature=mock') }
-  let(:signer) { mock('Signer') }
-  let(:proxy)  { UrlAuth::Proxy.new(env, signer) }
-
-  describe 'signing urls' do
-    it 'signs a url' do
-      signer.
-        should_receive(:sign_url).
-        and_return('/home?signature=mock')
-
-      proxy.sign_url('/home').
-        should eq '/home?signature=mock'
-    end
-  end
-
-  describe 'signer' do
-    it 'authorizes url' do
-      signer.
-        should_receive(:verify_url).
-        with('http://example.org/home?signature=mock').
-        and_return(true)
-
-      proxy.url_authorized?.should be true
-    end
-
-    it 'returns false for tampered url' do
-      signer.
-        should_receive(:verify_url).
-        with('http://example.org/home?signature=mock').
-        and_return(false)
-
-      proxy.url_authorized?.should be false
-    end
-  end
-end