fsevents 1.0.7 → 1.0.8

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of fsevents might be problematic. Click here for more details.

Files changed (322) hide show
  1. package/node_modules/ansi/History.md +7 -0
  2. package/node_modules/ansi/LICENSE +24 -0
  3. package/node_modules/ansi/lib/ansi.js +2 -2
  4. package/node_modules/ansi/package.json +15 -10
  5. package/node_modules/ansi-regex/package.json +1 -0
  6. package/node_modules/ansi-styles/package.json +1 -0
  7. package/node_modules/are-we-there-yet/.npmignore +2 -0
  8. package/node_modules/are-we-there-yet/index.js +20 -18
  9. package/node_modules/are-we-there-yet/package.json +15 -13
  10. package/node_modules/asn1/package.json +3 -1
  11. package/node_modules/assert-plus/README.md +50 -21
  12. package/node_modules/assert-plus/assert.js +168 -207
  13. package/node_modules/assert-plus/package.json +55 -15
  14. package/node_modules/async/README.md +86 -4
  15. package/node_modules/async/dist/async.js +4 -3
  16. package/node_modules/async/dist/async.min.js +1 -1
  17. package/node_modules/async/lib/async.js +4 -3
  18. package/node_modules/async/package.json +10 -10
  19. package/node_modules/aws-sign2/package.json +1 -0
  20. package/node_modules/aws4/.npmignore +3 -0
  21. package/node_modules/aws4/.tern-port +1 -0
  22. package/node_modules/{tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/balanced-match → aws4}/.travis.yml +2 -0
  23. package/node_modules/{tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/balanced-match/LICENSE.md → aws4/LICENSE} +1 -3
  24. package/node_modules/aws4/README.md +510 -0
  25. package/node_modules/aws4/aws4.js +313 -0
  26. package/node_modules/aws4/example.js +372 -0
  27. package/node_modules/aws4/node_modules/lru-cache/.npmignore +1 -0
  28. package/node_modules/aws4/node_modules/lru-cache/.travis.yml +8 -0
  29. package/node_modules/aws4/node_modules/lru-cache/CONTRIBUTORS +14 -0
  30. package/node_modules/aws4/node_modules/lru-cache/README.md +137 -0
  31. package/node_modules/aws4/node_modules/lru-cache/lib/lru-cache.js +334 -0
  32. package/node_modules/aws4/node_modules/lru-cache/package.json +66 -0
  33. package/node_modules/aws4/node_modules/lru-cache/test/basic.js +396 -0
  34. package/node_modules/aws4/node_modules/lru-cache/test/foreach.js +120 -0
  35. package/node_modules/aws4/node_modules/lru-cache/test/memory-leak.js +51 -0
  36. package/node_modules/aws4/node_modules/lru-cache/test/serialize.js +216 -0
  37. package/node_modules/aws4/package.json +113 -0
  38. package/node_modules/bl/.travis.yml +5 -6
  39. package/node_modules/bl/bl.js +5 -0
  40. package/node_modules/bl/package.json +16 -13
  41. package/node_modules/bl/test/test.js +554 -6
  42. package/node_modules/block-stream/package.json +1 -0
  43. package/node_modules/boom/package.json +1 -0
  44. package/node_modules/caseless/package.json +1 -0
  45. package/node_modules/chalk/package.json +1 -0
  46. package/node_modules/combined-stream/package.json +1 -0
  47. package/node_modules/commander/package.json +1 -0
  48. package/node_modules/core-util-is/package.json +2 -2
  49. package/node_modules/cryptiles/package.json +1 -0
  50. package/node_modules/dashdash/README.md +70 -7
  51. package/node_modules/dashdash/etc/dashdash.bash_completion.in +388 -0
  52. package/node_modules/dashdash/lib/dashdash.js +202 -2
  53. package/node_modules/dashdash/package.json +12 -9
  54. package/node_modules/debug/.jshintrc +3 -0
  55. package/node_modules/debug/.npmignore +6 -0
  56. package/node_modules/debug/History.md +195 -0
  57. package/node_modules/debug/Makefile +36 -0
  58. package/node_modules/debug/Readme.md +86 -13
  59. package/node_modules/debug/bower.json +28 -0
  60. package/node_modules/debug/browser.js +168 -0
  61. package/node_modules/debug/component.json +19 -0
  62. package/node_modules/debug/debug.js +132 -72
  63. package/node_modules/debug/node.js +209 -0
  64. package/node_modules/debug/package.json +32 -22
  65. package/node_modules/deep-extend/README.md +51 -50
  66. package/node_modules/deep-extend/package.json +14 -16
  67. package/node_modules/delayed-stream/package.json +1 -0
  68. package/node_modules/delegates/History.md +6 -0
  69. package/node_modules/delegates/License +20 -0
  70. package/node_modules/delegates/package.json +17 -13
  71. package/node_modules/ecc-jsbn/package.json +3 -1
  72. package/node_modules/escape-string-regexp/package.json +2 -2
  73. package/node_modules/extend/package.json +1 -0
  74. package/node_modules/extsprintf/package.json +4 -2
  75. package/node_modules/forever-agent/package.json +1 -0
  76. package/node_modules/form-data/package.json +1 -0
  77. package/node_modules/fstream/package.json +1 -0
  78. package/node_modules/fstream-ignore/node_modules/minimatch/node_modules/brace-expansion/node_modules/balanced-match/package.json +1 -0
  79. package/node_modules/fstream-ignore/node_modules/minimatch/node_modules/brace-expansion/node_modules/concat-map/package.json +1 -0
  80. package/node_modules/fstream-ignore/node_modules/minimatch/node_modules/brace-expansion/package.json +1 -0
  81. package/node_modules/fstream-ignore/node_modules/minimatch/package.json +1 -0
  82. package/node_modules/fstream-ignore/package.json +3 -1
  83. package/node_modules/gauge/package.json +14 -12
  84. package/node_modules/gauge/progress-bar.js +4 -5
  85. package/node_modules/gauge/test/progress-bar.js +1 -1
  86. package/node_modules/generate-function/package.json +1 -0
  87. package/node_modules/generate-object-property/package.json +1 -0
  88. package/node_modules/graceful-fs/README.md +17 -0
  89. package/node_modules/graceful-fs/graceful-fs.js +2 -0
  90. package/node_modules/graceful-fs/package.json +16 -11
  91. package/node_modules/graceful-readlink/package.json +1 -0
  92. package/node_modules/har-validator/README.md +45 -122
  93. package/node_modules/har-validator/package.json +16 -16
  94. package/node_modules/has-ansi/package.json +1 -0
  95. package/node_modules/has-unicode/README.md +6 -3
  96. package/node_modules/has-unicode/index.js +7 -3
  97. package/node_modules/has-unicode/package.json +15 -13
  98. package/node_modules/has-unicode/test/index.js +1 -1
  99. package/node_modules/hawk/README.md +634 -634
  100. package/node_modules/hawk/bower.json +24 -24
  101. package/node_modules/hawk/component.json +18 -18
  102. package/node_modules/hawk/dist/client.js +343 -340
  103. package/node_modules/hawk/example/usage.js +78 -78
  104. package/node_modules/hawk/lib/browser.js +637 -637
  105. package/node_modules/hawk/lib/client.js +369 -369
  106. package/node_modules/hawk/lib/crypto.js +126 -126
  107. package/node_modules/hawk/lib/index.js +15 -15
  108. package/node_modules/hawk/lib/server.js +548 -540
  109. package/node_modules/hawk/lib/utils.js +184 -164
  110. package/node_modules/hawk/package.json +9 -8
  111. package/node_modules/hawk/test/browser.js +1492 -1492
  112. package/node_modules/hawk/test/client.js +440 -440
  113. package/node_modules/hawk/test/crypto.js +70 -70
  114. package/node_modules/hawk/test/index.js +378 -378
  115. package/node_modules/hawk/test/readme.js +95 -95
  116. package/node_modules/hawk/test/server.js +1329 -1302
  117. package/node_modules/hawk/test/uri.js +838 -838
  118. package/node_modules/hawk/test/utils.js +149 -121
  119. package/node_modules/hoek/package.json +1 -0
  120. package/node_modules/http-signature/CHANGES.md +7 -0
  121. package/node_modules/http-signature/http_signing.md +71 -3
  122. package/node_modules/http-signature/lib/signer.js +5 -0
  123. package/node_modules/http-signature/package.json +13 -11
  124. package/node_modules/ini/package.json +3 -1
  125. package/node_modules/is-my-json-valid/formats.js +1 -1
  126. package/node_modules/is-my-json-valid/package.json +11 -10
  127. package/node_modules/is-property/package.json +1 -0
  128. package/node_modules/is-typedarray/package.json +3 -1
  129. package/node_modules/isarray/package.json +2 -2
  130. package/node_modules/isstream/package.json +1 -0
  131. package/node_modules/jodid25519/package.json +3 -1
  132. package/node_modules/jsbn/package.json +3 -1
  133. package/node_modules/json-schema/package.json +2 -1
  134. package/node_modules/json-stringify-safe/package.json +1 -0
  135. package/node_modules/jsonpointer/package.json +1 -0
  136. package/node_modules/jsprim/package.json +3 -1
  137. package/node_modules/lodash._basetostring/package.json +4 -4
  138. package/node_modules/lodash._createpadding/package.json +3 -2
  139. package/node_modules/lodash._root/LICENSE +22 -0
  140. package/node_modules/lodash._root/README.md +18 -0
  141. package/node_modules/lodash._root/index.js +53 -0
  142. package/node_modules/lodash._root/package.json +77 -0
  143. package/node_modules/lodash.pad/LICENSE +2 -2
  144. package/node_modules/lodash.pad/README.md +4 -6
  145. package/node_modules/lodash.pad/index.js +347 -15
  146. package/node_modules/lodash.pad/package.json +20 -34
  147. package/node_modules/lodash.padleft/package.json +3 -1
  148. package/node_modules/lodash.padright/package.json +3 -1
  149. package/node_modules/lodash.repeat/LICENSE +2 -2
  150. package/node_modules/lodash.repeat/README.md +4 -6
  151. package/node_modules/lodash.repeat/index.js +262 -11
  152. package/node_modules/lodash.repeat/package.json +21 -34
  153. package/node_modules/mime-db/package.json +2 -2
  154. package/node_modules/mime-types/package.json +2 -2
  155. package/node_modules/ms/.npmignore +5 -0
  156. package/node_modules/{deep-extend → ms}/LICENSE +2 -2
  157. package/node_modules/ms/README.md +35 -0
  158. package/node_modules/ms/index.js +125 -0
  159. package/node_modules/ms/package.json +56 -0
  160. package/node_modules/node-pre-gyp/CHANGELOG.md +8 -0
  161. package/node_modules/node-pre-gyp/LICENSE +27 -0
  162. package/node_modules/node-pre-gyp/lib/util/abi_crosswalk.json +36 -0
  163. package/node_modules/node-pre-gyp/package.json +23 -22
  164. package/node_modules/node-uuid/package.json +1 -0
  165. package/node_modules/npmlog/package.json +18 -16
  166. package/node_modules/oauth-sign/index.js +2 -0
  167. package/node_modules/oauth-sign/package.json +10 -9
  168. package/node_modules/once/README.md +18 -0
  169. package/node_modules/once/once.js +8 -6
  170. package/node_modules/once/package.json +20 -12
  171. package/node_modules/pinkie/index.js +3 -3
  172. package/node_modules/pinkie/package.json +10 -9
  173. package/node_modules/pinkie/readme.md +1 -1
  174. package/node_modules/pinkie-promise/package.json +1 -0
  175. package/node_modules/process-nextick-args/package.json +2 -2
  176. package/node_modules/qs/.eslintrc +17 -0
  177. package/node_modules/qs/.travis.yml +66 -5
  178. package/node_modules/qs/CHANGELOG.md +86 -75
  179. package/node_modules/qs/README.md +85 -81
  180. package/node_modules/qs/bower.json +1 -1
  181. package/node_modules/qs/component.json +1 -1
  182. package/node_modules/qs/dist/qs.js +108 -177
  183. package/node_modules/qs/lib/index.js +1 -7
  184. package/node_modules/qs/lib/parse.js +26 -49
  185. package/node_modules/qs/lib/stringify.js +22 -46
  186. package/node_modules/qs/lib/utils.js +45 -73
  187. package/node_modules/qs/package.json +51 -28
  188. package/node_modules/qs/test/index.js +5 -0
  189. package/node_modules/qs/test/parse.js +236 -321
  190. package/node_modules/qs/test/stringify.js +139 -197
  191. package/node_modules/qs/test/utils.js +6 -25
  192. package/node_modules/rc/node_modules/minimist/package.json +1 -0
  193. package/node_modules/rc/package.json +1 -0
  194. package/node_modules/readable-stream/package.json +1 -0
  195. package/node_modules/request/CHANGELOG.md +16 -1
  196. package/node_modules/request/README.md +1 -1
  197. package/node_modules/request/lib/har.js +3 -2
  198. package/node_modules/request/lib/multipart.js +3 -0
  199. package/node_modules/request/lib/tunnel.js +0 -2
  200. package/node_modules/request/package.json +20 -17
  201. package/node_modules/request/request.js +50 -26
  202. package/node_modules/rimraf/README.md +1 -1
  203. package/node_modules/rimraf/node_modules/glob/README.md +2 -2
  204. package/node_modules/rimraf/node_modules/glob/glob.js +14 -1
  205. package/node_modules/rimraf/node_modules/glob/node_modules/inflight/node_modules/wrappy/package.json +1 -0
  206. package/node_modules/rimraf/node_modules/glob/node_modules/inflight/package.json +1 -0
  207. package/node_modules/rimraf/node_modules/glob/node_modules/inherits/package.json +2 -1
  208. package/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/balanced-match/package.json +1 -0
  209. package/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/concat-map/package.json +1 -0
  210. package/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/package.json +1 -0
  211. package/node_modules/rimraf/node_modules/glob/node_modules/minimatch/package.json +1 -0
  212. package/node_modules/rimraf/node_modules/glob/node_modules/once/node_modules/wrappy/package.json +1 -0
  213. package/node_modules/rimraf/node_modules/glob/node_modules/once/package.json +1 -0
  214. package/node_modules/rimraf/node_modules/glob/node_modules/path-is-absolute/package.json +1 -0
  215. package/node_modules/rimraf/node_modules/glob/package.json +11 -11
  216. package/node_modules/rimraf/package.json +13 -12
  217. package/node_modules/semver/package.json +3 -1
  218. package/node_modules/sntp/package.json +1 -0
  219. package/node_modules/sshpk/.npmignore +1 -0
  220. package/node_modules/sshpk/bin/sshpk-sign +176 -0
  221. package/node_modules/sshpk/bin/sshpk-verify +166 -0
  222. package/node_modules/sshpk/lib/ed-compat.js +2 -0
  223. package/node_modules/sshpk/lib/key.js +6 -0
  224. package/node_modules/sshpk/man/man1/sshpk-conv.1 +135 -0
  225. package/node_modules/sshpk/man/man1/sshpk-sign.1 +81 -0
  226. package/node_modules/sshpk/man/man1/sshpk-verify.1 +68 -0
  227. package/node_modules/sshpk/package.json +18 -9
  228. package/node_modules/string_decoder/package.json +2 -2
  229. package/node_modules/stringstream/package.json +1 -0
  230. package/node_modules/strip-ansi/package.json +1 -0
  231. package/node_modules/strip-json-comments/package.json +1 -0
  232. package/node_modules/supports-color/package.json +1 -0
  233. package/node_modules/tar/package.json +1 -0
  234. package/node_modules/tar-pack/README.md +2 -2
  235. package/node_modules/tar-pack/package.json +25 -26
  236. package/node_modules/tough-cookie/package.json +1 -0
  237. package/node_modules/tunnel-agent/package.json +1 -0
  238. package/node_modules/tweetnacl/README.md +1 -1
  239. package/node_modules/tweetnacl/package.json +13 -11
  240. package/node_modules/uid-number/package.json +14 -13
  241. package/node_modules/uid-number/uid-number.js +9 -4
  242. package/node_modules/util-deprecate/package.json +2 -2
  243. package/node_modules/verror/package.json +1 -0
  244. package/node_modules/{tar-pack/node_modules/rimraf/node_modules/glob/node_modules/once/node_modules/wrappy → wrappy}/package.json +3 -2
  245. package/node_modules/xtend/package.json +1 -0
  246. package/package.json +2 -2
  247. package/node_modules/are-we-there-yet/README.md~ +0 -183
  248. package/node_modules/bl/test/basic-test.js +0 -541
  249. package/node_modules/bl/test/sauce.js +0 -38
  250. package/node_modules/debug/index.js +0 -5
  251. package/node_modules/debug/lib/debug.js +0 -147
  252. package/node_modules/deep-extend/test/index.spec.js +0 -220
  253. package/node_modules/deep-extend/test/mocha.opts +0 -1
  254. package/node_modules/gauge/README.md~ +0 -161
  255. package/node_modules/has-unicode/README.md~ +0 -4
  256. package/node_modules/once/LICENSE +0 -27
  257. package/node_modules/once/test/once.js +0 -18
  258. package/node_modules/sshpk/node_modules/assert-plus/README.md +0 -155
  259. package/node_modules/sshpk/node_modules/assert-plus/assert.js +0 -206
  260. package/node_modules/sshpk/node_modules/assert-plus/package.json +0 -88
  261. package/node_modules/tar-pack/node_modules/rimraf/README.md +0 -43
  262. package/node_modules/tar-pack/node_modules/rimraf/bin.js +0 -40
  263. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/README.md +0 -359
  264. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/common.js +0 -226
  265. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/glob.js +0 -752
  266. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/inflight/.eslintrc +0 -17
  267. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/inflight/README.md +0 -37
  268. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/inflight/inflight.js +0 -44
  269. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/inflight/node_modules/wrappy/package.json +0 -58
  270. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/inflight/package.json +0 -67
  271. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/inflight/test.js +0 -97
  272. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/inherits/LICENSE +0 -16
  273. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/inherits/README.md +0 -42
  274. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/inherits/inherits.js +0 -1
  275. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/inherits/inherits_browser.js +0 -23
  276. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/inherits/package.json +0 -58
  277. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/inherits/test.js +0 -25
  278. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/README.md +0 -216
  279. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/minimatch.js +0 -912
  280. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/.npmignore +0 -3
  281. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/README.md +0 -122
  282. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/example.js +0 -8
  283. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/index.js +0 -191
  284. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/balanced-match/.npmignore +0 -2
  285. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/balanced-match/Makefile +0 -6
  286. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/balanced-match/README.md +0 -89
  287. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/balanced-match/example.js +0 -5
  288. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/balanced-match/index.js +0 -50
  289. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/balanced-match/package.json +0 -79
  290. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/balanced-match/test/balanced.js +0 -84
  291. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/concat-map/.travis.yml +0 -4
  292. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/concat-map/LICENSE +0 -18
  293. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/concat-map/README.markdown +0 -62
  294. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/concat-map/example/map.js +0 -6
  295. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/concat-map/index.js +0 -13
  296. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/concat-map/package.json +0 -90
  297. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/node_modules/concat-map/test/map.js +0 -39
  298. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/node_modules/brace-expansion/package.json +0 -81
  299. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/minimatch/package.json +0 -66
  300. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/once/README.md +0 -51
  301. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/once/node_modules/wrappy/LICENSE +0 -15
  302. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/once/node_modules/wrappy/README.md +0 -36
  303. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/once/node_modules/wrappy/test/basic.js +0 -51
  304. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/once/node_modules/wrappy/wrappy.js +0 -33
  305. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/once/once.js +0 -21
  306. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/once/package.json +0 -70
  307. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/path-is-absolute/index.js +0 -20
  308. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/path-is-absolute/package.json +0 -78
  309. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/node_modules/path-is-absolute/readme.md +0 -51
  310. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/package.json +0 -79
  311. package/node_modules/tar-pack/node_modules/rimraf/node_modules/glob/sync.js +0 -460
  312. package/node_modules/tar-pack/node_modules/rimraf/package.json +0 -69
  313. package/node_modules/tar-pack/node_modules/rimraf/rimraf.js +0 -333
  314. package/node_modules/uid-number/LICENCE +0 -25
  315. /package/node_modules/{sshpk/node_modules/assert-plus → assert-plus}/AUTHORS +0 -0
  316. /package/node_modules/{sshpk/node_modules/assert-plus → assert-plus}/CHANGES.md +0 -0
  317. /package/node_modules/{tar-pack/node_modules/rimraf → aws4/node_modules/lru-cache}/LICENSE +0 -0
  318. /package/node_modules/{tar-pack/node_modules/rimraf/node_modules/glob/node_modules/inflight → uid-number}/LICENSE +0 -0
  319. /package/node_modules/{tar-pack/node_modules/rimraf/node_modules/glob/node_modules/inflight/node_modules/wrappy → wrappy}/LICENSE +0 -0
  320. /package/node_modules/{tar-pack/node_modules/rimraf/node_modules/glob/node_modules/inflight/node_modules/wrappy → wrappy}/README.md +0 -0
  321. /package/node_modules/{tar-pack/node_modules/rimraf/node_modules/glob/node_modules/inflight/node_modules/wrappy → wrappy}/test/basic.js +0 -0
  322. /package/node_modules/{tar-pack/node_modules/rimraf/node_modules/glob/node_modules/inflight/node_modules/wrappy → wrappy}/wrappy.js +0 -0
@@ -1,634 +1,634 @@
1
- ![hawk Logo](https://raw.github.com/hueniverse/hawk/master/images/hawk.png)
2
-
3
- <img align="right" src="https://raw.github.com/hueniverse/hawk/master/images/logo.png" /> **Hawk** is an HTTP authentication scheme using a message authentication code (MAC) algorithm to provide partial
4
- HTTP request cryptographic verification. For more complex use cases such as access delegation, see [Oz](https://github.com/hueniverse/oz).
5
-
6
- Current version: **3.x**
7
-
8
- Note: 3.x and 2.x are the same exact protocol as 1.1. The version increments reflect changes in the node API.
9
-
10
- [![Build Status](https://secure.travis-ci.org/hueniverse/hawk.png)](http://travis-ci.org/hueniverse/hawk)
11
-
12
- # Table of Content
13
-
14
- - [**Introduction**](#introduction)
15
- - [Replay Protection](#replay-protection)
16
- - [Usage Example](#usage-example)
17
- - [Protocol Example](#protocol-example)
18
- - [Payload Validation](#payload-validation)
19
- - [Response Payload Validation](#response-payload-validation)
20
- - [Browser Support and Considerations](#browser-support-and-considerations)
21
- <p></p>
22
- - [**Single URI Authorization**](#single-uri-authorization)
23
- - [Usage Example](#bewit-usage-example)
24
- <p></p>
25
- - [**Security Considerations**](#security-considerations)
26
- - [MAC Keys Transmission](#mac-keys-transmission)
27
- - [Confidentiality of Requests](#confidentiality-of-requests)
28
- - [Spoofing by Counterfeit Servers](#spoofing-by-counterfeit-servers)
29
- - [Plaintext Storage of Credentials](#plaintext-storage-of-credentials)
30
- - [Entropy of Keys](#entropy-of-keys)
31
- - [Coverage Limitations](#coverage-limitations)
32
- - [Future Time Manipulation](#future-time-manipulation)
33
- - [Client Clock Poisoning](#client-clock-poisoning)
34
- - [Bewit Limitations](#bewit-limitations)
35
- - [Host Header Forgery](#host-header-forgery)
36
- <p></p>
37
- - [**Frequently Asked Questions**](#frequently-asked-questions)
38
- <p></p>
39
- - [**Implementations**](#implementations)
40
- - [**Acknowledgements**](#acknowledgements)
41
-
42
- # Introduction
43
-
44
- **Hawk** is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with
45
- partial cryptographic verification of the request and response, covering the HTTP method, request URI, host,
46
- and optionally the request payload.
47
-
48
- Similar to the HTTP [Digest access authentication schemes](http://www.ietf.org/rfc/rfc2617.txt), **Hawk** uses a set of
49
- client credentials which include an identifier (e.g. username) and key (e.g. password). Likewise, just as with the Digest scheme,
50
- the key is never included in authenticated requests. Instead, it is used to calculate a request MAC value which is
51
- included in its place.
52
-
53
- However, **Hawk** has several differences from Digest. In particular, while both use a nonce to limit the possibility of
54
- replay attacks, in **Hawk** the client generates the nonce and uses it in combination with a timestamp, leading to less
55
- "chattiness" (interaction with the server).
56
-
57
- Also unlike Digest, this scheme is not intended to protect the key itself (the password in Digest) because
58
- the client and server must both have access to the key material in the clear.
59
-
60
- The primary design goals of this scheme are to:
61
- * simplify and improve HTTP authentication for services that are unwilling or unable to deploy TLS for all resources,
62
- * secure credentials against leakage (e.g., when the client uses some form of dynamic configuration to determine where
63
- to send an authenticated request), and
64
- * avoid the exposure of credentials sent to a malicious server over an unauthenticated secure channel due to client
65
- failure to validate the server's identity as part of its TLS handshake.
66
-
67
- In addition, **Hawk** supports a method for granting third-parties temporary access to individual resources using
68
- a query parameter called _bewit_ (in falconry, a leather strap used to attach a tracking device to the leg of a hawk).
69
-
70
- The **Hawk** scheme requires the establishment of a shared symmetric key between the client and the server,
71
- which is beyond the scope of this module. Typically, the shared credentials are established via an initial
72
- TLS-protected phase or derived from some other shared confidential information available to both the client
73
- and the server.
74
-
75
-
76
- ## Replay Protection
77
-
78
- Without replay protection, an attacker can use a compromised (but otherwise valid and authenticated) request more
79
- than once, gaining access to a protected resource. To mitigate this, clients include both a nonce and a timestamp when
80
- making requests. This gives the server enough information to prevent replay attacks.
81
-
82
- The nonce is generated by the client, and is a string unique across all requests with the same timestamp and
83
- key identifier combination.
84
-
85
- The timestamp enables the server to restrict the validity period of the credentials where requests occuring afterwards
86
- are rejected. It also removes the need for the server to retain an unbounded number of nonce values for future checks.
87
- By default, **Hawk** uses a time window of 1 minute to allow for time skew between the client and server (which in
88
- practice translates to a maximum of 2 minutes as the skew can be positive or negative).
89
-
90
- Using a timestamp requires the client's clock to be in sync with the server's clock. **Hawk** requires both the client
91
- clock and the server clock to use NTP to ensure synchronization. However, given the limitations of some client types
92
- (e.g. browsers) to deploy NTP, the server provides the client with its current time (in seconds precision) in response
93
- to a bad timestamp.
94
-
95
- There is no expectation that the client will adjust its system clock to match the server (in fact, this would be a
96
- potential attack vector). Instead, the client only uses the server's time to calculate an offset used only
97
- for communications with that particular server. The protocol rewards clients with synchronized clocks by reducing
98
- the number of round trips required to authenticate the first request.
99
-
100
-
101
- ## Usage Example
102
-
103
- Server code:
104
-
105
- ```javascript
106
- var Http = require('http');
107
- var Hawk = require('hawk');
108
-
109
-
110
- // Credentials lookup function
111
-
112
- var credentialsFunc = function (id, callback) {
113
-
114
- var credentials = {
115
- key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
116
- algorithm: 'sha256',
117
- user: 'Steve'
118
- };
119
-
120
- return callback(null, credentials);
121
- };
122
-
123
- // Create HTTP server
124
-
125
- var handler = function (req, res) {
126
-
127
- // Authenticate incoming request
128
-
129
- Hawk.server.authenticate(req, credentialsFunc, {}, function (err, credentials, artifacts) {
130
-
131
- // Prepare response
132
-
133
- var payload = (!err ? 'Hello ' + credentials.user + ' ' + artifacts.ext : 'Shoosh!');
134
- var headers = { 'Content-Type': 'text/plain' };
135
-
136
- // Generate Server-Authorization response header
137
-
138
- var header = Hawk.server.header(credentials, artifacts, { payload: payload, contentType: headers['Content-Type'] });
139
- headers['Server-Authorization'] = header;
140
-
141
- // Send the response back
142
-
143
- res.writeHead(!err ? 200 : 401, headers);
144
- res.end(payload);
145
- });
146
- };
147
-
148
- // Start server
149
-
150
- Http.createServer(handler).listen(8000, 'example.com');
151
- ```
152
-
153
- Client code:
154
-
155
- ```javascript
156
- var Request = require('request');
157
- var Hawk = require('hawk');
158
-
159
-
160
- // Client credentials
161
-
162
- var credentials = {
163
- id: 'dh37fgj492je',
164
- key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
165
- algorithm: 'sha256'
166
- }
167
-
168
- // Request options
169
-
170
- var requestOptions = {
171
- uri: 'http://example.com:8000/resource/1?b=1&a=2',
172
- method: 'GET',
173
- headers: {}
174
- };
175
-
176
- // Generate Authorization request header
177
-
178
- var header = Hawk.client.header('http://example.com:8000/resource/1?b=1&a=2', 'GET', { credentials: credentials, ext: 'some-app-data' });
179
- requestOptions.headers.Authorization = header.field;
180
-
181
- // Send authenticated request
182
-
183
- Request(requestOptions, function (error, response, body) {
184
-
185
- // Authenticate the server's response
186
-
187
- var isValid = Hawk.client.authenticate(response, credentials, header.artifacts, { payload: body });
188
-
189
- // Output results
190
-
191
- console.log(response.statusCode + ': ' + body + (isValid ? ' (valid)' : ' (invalid)'));
192
- });
193
- ```
194
-
195
- **Hawk** utilized the [**SNTP**](https://github.com/hueniverse/sntp) module for time sync management. By default, the local
196
- machine time is used. To automatically retrieve and synchronice the clock within the application, use the SNTP 'start()' method.
197
-
198
- ```javascript
199
- Hawk.sntp.start();
200
- ```
201
-
202
-
203
- ## Protocol Example
204
-
205
- The client attempts to access a protected resource without authentication, sending the following HTTP request to
206
- the resource server:
207
-
208
- ```
209
- GET /resource/1?b=1&a=2 HTTP/1.1
210
- Host: example.com:8000
211
- ```
212
-
213
- The resource server returns an authentication challenge.
214
-
215
- ```
216
- HTTP/1.1 401 Unauthorized
217
- WWW-Authenticate: Hawk
218
- ```
219
-
220
- The client has previously obtained a set of **Hawk** credentials for accessing resources on the "http://example.com/"
221
- server. The **Hawk** credentials issued to the client include the following attributes:
222
-
223
- * Key identifier: dh37fgj492je
224
- * Key: werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn
225
- * Algorithm: sha256
226
-
227
- The client generates the authentication header by calculating a timestamp (e.g. the number of seconds since January 1,
228
- 1970 00:00:00 GMT), generating a nonce, and constructing the normalized request string (each value followed by a newline
229
- character):
230
-
231
- ```
232
- hawk.1.header
233
- 1353832234
234
- j4h3g2
235
- GET
236
- /resource/1?b=1&a=2
237
- example.com
238
- 8000
239
-
240
- some-app-ext-data
241
-
242
- ```
243
-
244
- The request MAC is calculated using HMAC with the specified hash algorithm "sha256" and the key over the normalized request string.
245
- The result is base64-encoded to produce the request MAC:
246
-
247
- ```
248
- 6R4rV5iE+NPoym+WwjeHzjAGXUtLNIxmo1vpMofpLAE=
249
- ```
250
-
251
- The client includes the **Hawk** key identifier, timestamp, nonce, application specific data, and request MAC with the request using
252
- the HTTP `Authorization` request header field:
253
-
254
- ```
255
- GET /resource/1?b=1&a=2 HTTP/1.1
256
- Host: example.com:8000
257
- Authorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", ext="some-app-ext-data", mac="6R4rV5iE+NPoym+WwjeHzjAGXUtLNIxmo1vpMofpLAE="
258
- ```
259
-
260
- The server validates the request by calculating the request MAC again based on the request received and verifies the validity
261
- and scope of the **Hawk** credentials. If valid, the server responds with the requested resource.
262
-
263
-
264
- ### Payload Validation
265
-
266
- **Hawk** provides optional payload validation. When generating the authentication header, the client calculates a payload hash
267
- using the specified hash algorithm. The hash is calculated over the concatenated value of (each followed by a newline character):
268
- * `hawk.1.payload`
269
- * the content-type in lowercase, without any parameters (e.g. `application/json`)
270
- * the request payload prior to any content encoding (the exact representation requirements should be specified by the server for payloads other than simple single-part ascii to ensure interoperability)
271
-
272
- For example:
273
-
274
- * Payload: `Thank you for flying Hawk`
275
- * Content Type: `text/plain`
276
- * Hash (sha256): `Yi9LfIIFRtBEPt74PVmbTF/xVAwPn7ub15ePICfgnuY=`
277
-
278
- Results in the following input to the payload hash function (newline terminated values):
279
-
280
- ```
281
- hawk.1.payload
282
- text/plain
283
- Thank you for flying Hawk
284
-
285
- ```
286
-
287
- Which produces the following hash value:
288
-
289
- ```
290
- Yi9LfIIFRtBEPt74PVmbTF/xVAwPn7ub15ePICfgnuY=
291
- ```
292
-
293
- The client constructs the normalized request string (newline terminated values):
294
-
295
- ```
296
- hawk.1.header
297
- 1353832234
298
- j4h3g2
299
- POST
300
- /resource/1?a=1&b=2
301
- example.com
302
- 8000
303
- Yi9LfIIFRtBEPt74PVmbTF/xVAwPn7ub15ePICfgnuY=
304
- some-app-ext-data
305
-
306
- ```
307
-
308
- Then calculates the request MAC and includes the **Hawk** key identifier, timestamp, nonce, payload hash, application specific data,
309
- and request MAC, with the request using the HTTP `Authorization` request header field:
310
-
311
- ```
312
- POST /resource/1?a=1&b=2 HTTP/1.1
313
- Host: example.com:8000
314
- Authorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", hash="Yi9LfIIFRtBEPt74PVmbTF/xVAwPn7ub15ePICfgnuY=", ext="some-app-ext-data", mac="aSe1DERmZuRl3pI36/9BdZmnErTw3sNzOOAUlfeKjVw="
315
- ```
316
-
317
- It is up to the server if and when it validates the payload for any given request, based solely on it's security policy
318
- and the nature of the data included.
319
-
320
- If the payload is available at the time of authentication, the server uses the hash value provided by the client to construct
321
- the normalized string and validates the MAC. If the MAC is valid, the server calculates the payload hash and compares the value
322
- with the provided payload hash in the header. In many cases, checking the MAC first is faster than calculating the payload hash.
323
-
324
- However, if the payload is not available at authentication time (e.g. too large to fit in memory, streamed elsewhere, or processed
325
- at a different stage in the application), the server may choose to defer payload validation for later by retaining the hash value
326
- provided by the client after validating the MAC.
327
-
328
- It is important to note that MAC validation does not mean the hash value provided by the client is valid, only that the value
329
- included in the header was not modified. Without calculating the payload hash on the server and comparing it to the value provided
330
- by the client, the payload may be modified by an attacker.
331
-
332
-
333
- ## Response Payload Validation
334
-
335
- **Hawk** provides partial response payload validation. The server includes the `Server-Authorization` response header which enables the
336
- client to authenticate the response and ensure it is talking to the right server. **Hawk** defines the HTTP `Server-Authorization` header
337
- as a response header using the exact same syntax as the `Authorization` request header field.
338
-
339
- The header is contructed using the same process as the client's request header. The server uses the same credentials and other
340
- artifacts provided by the client to constructs the normalized request string. The `ext` and `hash` values are replaced with
341
- new values based on the server response. The rest as identical to those used by the client.
342
-
343
- The result MAC digest is included with the optional `hash` and `ext` values:
344
-
345
- ```
346
- Server-Authorization: Hawk mac="XIJRsMl/4oL+nn+vKoeVZPdCHXB4yJkNnBbTbHFZUYE=", hash="f9cDF/TDm7TkYRLnGwRMfeDzT6LixQVLvrIKhh0vgmM=", ext="response-specific"
347
- ```
348
-
349
-
350
- ## Browser Support and Considerations
351
-
352
- A browser script is provided for including using a `<script>` tag in [lib/browser.js](/lib/browser.js). It's also a [component](http://component.io/hueniverse/hawk).
353
-
354
- **Hawk** relies on the _Server-Authorization_ and _WWW-Authenticate_ headers in its response to communicate with the client.
355
- Therefore, in case of CORS requests, it is important to consider sending _Access-Control-Expose-Headers_ with the value
356
- _"WWW-Authenticate, Server-Authorization"_ on each response from your server. As explained in the
357
- [specifications](http://www.w3.org/TR/cors/#access-control-expose-headers-response-header), it will indicate that these headers
358
- can safely be accessed by the client (using getResponseHeader() on the XmlHttpRequest object). Otherwise you will be met with a
359
- ["simple response header"](http://www.w3.org/TR/cors/#simple-response-header) which excludes these fields and would prevent the
360
- Hawk client from authenticating the requests.You can read more about the why and how in this
361
- [article](http://www.html5rocks.com/en/tutorials/cors/#toc-adding-cors-support-to-the-server)
362
-
363
-
364
- # Single URI Authorization
365
-
366
- There are cases in which limited and short-term access to a protected resource is granted to a third party which does not
367
- have access to the shared credentials. For example, displaying a protected image on a web page accessed by anyone. **Hawk**
368
- provides limited support for such URIs in the form of a _bewit_ - a URI query parameter appended to the request URI which contains
369
- the necessary credentials to authenticate the request.
370
-
371
- Because of the significant security risks involved in issuing such access, bewit usage is purposely limited only to GET requests
372
- and for a finite period of time. Both the client and server can issue bewit credentials, however, the server should not use the same
373
- credentials as the client to maintain clear traceability as to who issued which credentials.
374
-
375
- In order to simplify implementation, bewit credentials do not support single-use policy and can be replayed multiple times within
376
- the granted access timeframe.
377
-
378
-
379
- ## Bewit Usage Example
380
-
381
- Server code:
382
-
383
- ```javascript
384
- var Http = require('http');
385
- var Hawk = require('hawk');
386
-
387
-
388
- // Credentials lookup function
389
-
390
- var credentialsFunc = function (id, callback) {
391
-
392
- var credentials = {
393
- key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
394
- algorithm: 'sha256'
395
- };
396
-
397
- return callback(null, credentials);
398
- };
399
-
400
- // Create HTTP server
401
-
402
- var handler = function (req, res) {
403
-
404
- Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
405
-
406
- res.writeHead(!err ? 200 : 401, { 'Content-Type': 'text/plain' });
407
- res.end(!err ? 'Access granted' : 'Shoosh!');
408
- });
409
- };
410
-
411
- Http.createServer(handler).listen(8000, 'example.com');
412
- ```
413
-
414
- Bewit code generation:
415
-
416
- ```javascript
417
- var Request = require('request');
418
- var Hawk = require('hawk');
419
-
420
-
421
- // Client credentials
422
-
423
- var credentials = {
424
- id: 'dh37fgj492je',
425
- key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
426
- algorithm: 'sha256'
427
- }
428
-
429
- // Generate bewit
430
-
431
- var duration = 60 * 5; // 5 Minutes
432
- var bewit = Hawk.uri.getBewit('http://example.com:8080/resource/1?b=1&a=2', { credentials: credentials, ttlSec: duration, ext: 'some-app-data' });
433
- var uri = 'http://example.com:8000/resource/1?b=1&a=2' + '&bewit=' + bewit;
434
- ```
435
-
436
-
437
- # Security Considerations
438
-
439
- The greatest sources of security risks are usually found not in **Hawk** but in the policies and procedures surrounding its use.
440
- Implementers are strongly encouraged to assess how this module addresses their security requirements. This section includes
441
- an incomplete list of security considerations that must be reviewed and understood before deploying **Hawk** on the server.
442
- Many of the protections provided in **Hawk** depends on whether and how they are used.
443
-
444
- ### MAC Keys Transmission
445
-
446
- **Hawk** does not provide any mechanism for obtaining or transmitting the set of shared credentials required. Any mechanism used
447
- to obtain **Hawk** credentials must ensure that these transmissions are protected using transport-layer mechanisms such as TLS.
448
-
449
- ### Confidentiality of Requests
450
-
451
- While **Hawk** provides a mechanism for verifying the integrity of HTTP requests, it provides no guarantee of request
452
- confidentiality. Unless other precautions are taken, eavesdroppers will have full access to the request content. Servers should
453
- carefully consider the types of data likely to be sent as part of such requests, and employ transport-layer security mechanisms
454
- to protect sensitive resources.
455
-
456
- ### Spoofing by Counterfeit Servers
457
-
458
- **Hawk** provides limited verification of the server authenticity. When receiving a response back from the server, the server
459
- may choose to include a response `Server-Authorization` header which the client can use to verify the response. However, it is up to
460
- the server to determine when such measure is included, to up to the client to enforce that policy.
461
-
462
- A hostile party could take advantage of this by intercepting the client's requests and returning misleading or otherwise
463
- incorrect responses. Service providers should consider such attacks when developing services using this protocol, and should
464
- require transport-layer security for any requests where the authenticity of the resource server or of server responses is an issue.
465
-
466
- ### Plaintext Storage of Credentials
467
-
468
- The **Hawk** key functions the same way passwords do in traditional authentication systems. In order to compute the request MAC,
469
- the server must have access to the key in plaintext form. This is in contrast, for example, to modern operating systems, which
470
- store only a one-way hash of user credentials.
471
-
472
- If an attacker were to gain access to these keys - or worse, to the server's database of all such keys - he or she would be able
473
- to perform any action on behalf of any resource owner. Accordingly, it is critical that servers protect these keys from unauthorized
474
- access.
475
-
476
- ### Entropy of Keys
477
-
478
- Unless a transport-layer security protocol is used, eavesdroppers will have full access to authenticated requests and request
479
- MAC values, and will thus be able to mount offline brute-force attacks to recover the key used. Servers should be careful to
480
- assign keys which are long enough, and random enough, to resist such attacks for at least the length of time that the **Hawk**
481
- credentials are valid.
482
-
483
- For example, if the credentials are valid for two weeks, servers should ensure that it is not possible to mount a brute force
484
- attack that recovers the key in less than two weeks. Of course, servers are urged to err on the side of caution, and use the
485
- longest key reasonable.
486
-
487
- It is equally important that the pseudo-random number generator (PRNG) used to generate these keys be of sufficiently high
488
- quality. Many PRNG implementations generate number sequences that may appear to be random, but which nevertheless exhibit
489
- patterns or other weaknesses which make cryptanalysis or brute force attacks easier. Implementers should be careful to use
490
- cryptographically secure PRNGs to avoid these problems.
491
-
492
- ### Coverage Limitations
493
-
494
- The request MAC only covers the HTTP `Host` header and optionally the `Content-Type` header. It does not cover any other headers
495
- which can often affect how the request body is interpreted by the server. If the server behavior is influenced by the presence
496
- or value of such headers, an attacker can manipulate the request headers without being detected. Implementers should use the
497
- `ext` feature to pass application-specific information via the `Authorization` header which is protected by the request MAC.
498
-
499
- The response authentication, when performed, only covers the response payload, content-type, and the request information
500
- provided by the client in it's request (method, resource, timestamp, nonce, etc.). It does not cover the HTTP status code or
501
- any other response header field (e.g. Location) which can affect the client's behaviour.
502
-
503
- ### Future Time Manipulation
504
-
505
- The protocol relies on a clock sync between the client and server. To accomplish this, the server informs the client of its
506
- current time when an invalid timestamp is received.
507
-
508
- If an attacker is able to manipulate this information and cause the client to use an incorrect time, it would be able to cause
509
- the client to generate authenticated requests using time in the future. Such requests will fail when sent by the client, and will
510
- not likely leave a trace on the server (given the common implementation of nonce, if at all enforced). The attacker will then
511
- be able to replay the request at the correct time without detection.
512
-
513
- The client must only use the time information provided by the server if:
514
- * it was delivered over a TLS connection and the server identity has been verified, or
515
- * the `tsm` MAC digest calculated using the same client credentials over the timestamp has been verified.
516
-
517
- ### Client Clock Poisoning
518
-
519
- When receiving a request with a bad timestamp, the server provides the client with its current time. The client must never use
520
- the time received from the server to adjust its own clock, and must only use it to calculate an offset for communicating with
521
- that particular server.
522
-
523
- ### Bewit Limitations
524
-
525
- Special care must be taken when issuing bewit credentials to third parties. Bewit credentials are valid until expiration and cannot
526
- be revoked or limited without using other means. Whatever resource they grant access to will be completely exposed to anyone with
527
- access to the bewit credentials which act as bearer credentials for that particular resource. While bewit usage is limited to GET
528
- requests only and therefore cannot be used to perform transactions or change server state, it can still be used to expose private
529
- and sensitive information.
530
-
531
- ### Host Header Forgery
532
-
533
- Hawk validates the incoming request MAC against the incoming HTTP Host header. However, unless the optional `host` and `port`
534
- options are used with `server.authenticate()`, a malicous client can mint new host names pointing to the server's IP address and
535
- use that to craft an attack by sending a valid request that's meant for another hostname than the one used by the server. Server
536
- implementors must manually verify that the host header received matches their expectation (or use the options mentioned above).
537
-
538
- # Frequently Asked Questions
539
-
540
- ### Where is the protocol specification?
541
-
542
- If you are looking for some prose explaining how all this works, **this is it**. **Hawk** is being developed as an open source
543
- project instead of a standard. In other words, the [code](/hueniverse/hawk/tree/master/lib) is the specification. Not sure about
544
- something? Open an issue!
545
-
546
- ### Is it done?
547
-
548
- As of version 0.10.0, **Hawk** is feature-complete. However, until this module reaches version 1.0.0 it is considered experimental
549
- and is likely to change. This also means your feedback and contribution are very welcome. Feel free to open issues with questions
550
- and suggestions.
551
-
552
- ### Where can I find **Hawk** implementations in other languages?
553
-
554
- **Hawk**'s only reference implementation is provided in JavaScript as a node.js module. However, it has been ported to other languages.
555
- The full list is maintained [here](https://github.com/hueniverse/hawk/issues?labels=port&state=closed). Please add an issue if you are
556
- working on another port. A cross-platform test-suite is in the works.
557
-
558
- ### Why isn't the algorithm part of the challenge or dynamically negotiated?
559
-
560
- The algorithm used is closely related to the key issued as different algorithms require different key sizes (and other
561
- requirements). While some keys can be used for multiple algorithm, the protocol is designed to closely bind the key and algorithm
562
- together as part of the issued credentials.
563
-
564
- ### Why is Host and Content-Type the only headers covered by the request MAC?
565
-
566
- It is really hard to include other headers. Headers can be changed by proxies and other intermediaries and there is no
567
- well-established way to normalize them. Many platforms change the case of header field names and values. The only
568
- straight-forward solution is to include the headers in some blob (say, base64 encoded JSON) and include that with the request,
569
- an approach taken by JWT and other such formats. However, that design violates the HTTP header boundaries, repeats information,
570
- and introduces other security issues because firewalls will not be aware of these "hidden" headers. In addition, any information
571
- repeated must be compared to the duplicated information in the header and therefore only moves the problem elsewhere.
572
-
573
- ### Why not just use HTTP Digest?
574
-
575
- Digest requires pre-negotiation to establish a nonce. This means you can't just make a request - you must first send
576
- a protocol handshake to the server. This pattern has become unacceptable for most web services, especially mobile
577
- where extra round-trip are costly.
578
-
579
- ### Why bother with all this nonce and timestamp business?
580
-
581
- **Hawk** is an attempt to find a reasonable, practical compromise between security and usability. OAuth 1.0 got timestamp
582
- and nonces halfway right but failed when it came to scalability and consistent developer experience. **Hawk** addresses
583
- it by requiring the client to sync its clock, but provides it with tools to accomplish it.
584
-
585
- In general, replay protection is a matter of application-specific threat model. It is less of an issue on a TLS-protected
586
- system where the clients are implemented using best practices and are under the control of the server. Instead of dropping
587
- replay protection, **Hawk** offers a required time window and an optional nonce verification. Together, it provides developers
588
- with the ability to decide how to enforce their security policy without impacting the client's implementation.
589
-
590
- ### What are `app` and `dlg` in the authorization header and normalized mac string?
591
-
592
- The original motivation for **Hawk** was to replace the OAuth 1.0 use cases. This included both a simple client-server mode which
593
- this module is specifically designed for, and a delegated access mode which is being developed separately in
594
- [Oz](https://github.com/hueniverse/oz). In addition to the **Hawk** use cases, Oz requires another attribute: the application id `app`.
595
- This provides binding between the credentials and the application in a way that prevents an attacker from tricking an application
596
- to use credentials issued to someone else. It also has an optional 'delegated-by' attribute `dlg` which is the application id of the
597
- application the credentials were directly issued to. The goal of these two additions is to allow Oz to utilize **Hawk** directly,
598
- but with the additional security of delegated credentials.
599
-
600
- ### What is the purpose of the static strings used in each normalized MAC input?
601
-
602
- When calculating a hash or MAC, a static prefix (tag) is added. The prefix is used to prevent MAC values from being
603
- used or reused for a purpose other than what they were created for (i.e. prevents switching MAC values between a request,
604
- response, and a bewit use cases). It also protects against exploits created after a potential change in how the protocol
605
- creates the normalized string. For example, if a future version would switch the order of nonce and timestamp, it
606
- can create an exploit opportunity for cases where the nonce is similar in format to a timestamp.
607
-
608
- ### Does **Hawk** have anything to do with OAuth?
609
-
610
- Short answer: no.
611
-
612
- **Hawk** was originally proposed as the OAuth MAC Token specification. However, the OAuth working group in its consistent
613
- incompetence failed to produce a final, usable solution to address one of the most popular use cases of OAuth 1.0 - using it
614
- to authenticate simple client-server transactions (i.e. two-legged). As you can guess, the OAuth working group is still hard
615
- at work to produce more garbage.
616
-
617
- **Hawk** provides a simple HTTP authentication scheme for making client-server requests. It does not address the OAuth use case
618
- of delegating access to a third party. If you are looking for an OAuth alternative, check out [Oz](https://github.com/hueniverse/oz).
619
-
620
- # Implementations
621
-
622
- - [Logibit Hawk in F#/.Net](https://github.com/logibit/logibit.hawk/)
623
- - [Tent Hawk in Ruby](https://github.com/tent/hawk-ruby)
624
- - [Wealdtech in Java](https://github.com/wealdtech/hawk)
625
- - [Kumar's Mohawk in Python](https://github.com/kumar303/mohawk/)
626
-
627
- # Acknowledgements
628
-
629
- **Hawk** is a derivative work of the [HTTP MAC Authentication Scheme](http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-05) proposal
630
- co-authored by Ben Adida, Adam Barth, and Eran Hammer, which in turn was based on the OAuth 1.0 community specification.
631
-
632
- Special thanks to Ben Laurie for his always insightful feedback and advice.
633
-
634
- The **Hawk** logo was created by [Chris Carrasco](http://chriscarrasco.com).
1
+ ![hawk Logo](https://raw.github.com/hueniverse/hawk/master/images/hawk.png)
2
+
3
+ <img align="right" src="https://raw.github.com/hueniverse/hawk/master/images/logo.png" /> **Hawk** is an HTTP authentication scheme using a message authentication code (MAC) algorithm to provide partial
4
+ HTTP request cryptographic verification. For more complex use cases such as access delegation, see [Oz](https://github.com/hueniverse/oz).
5
+
6
+ Current version: **3.x**
7
+
8
+ Note: 3.x and 2.x are the same exact protocol as 1.1. The version increments reflect changes in the node API.
9
+
10
+ [![Build Status](https://secure.travis-ci.org/hueniverse/hawk.png)](http://travis-ci.org/hueniverse/hawk)
11
+
12
+ # Table of Content
13
+
14
+ - [**Introduction**](#introduction)
15
+ - [Replay Protection](#replay-protection)
16
+ - [Usage Example](#usage-example)
17
+ - [Protocol Example](#protocol-example)
18
+ - [Payload Validation](#payload-validation)
19
+ - [Response Payload Validation](#response-payload-validation)
20
+ - [Browser Support and Considerations](#browser-support-and-considerations)
21
+ <p></p>
22
+ - [**Single URI Authorization**](#single-uri-authorization)
23
+ - [Usage Example](#bewit-usage-example)
24
+ <p></p>
25
+ - [**Security Considerations**](#security-considerations)
26
+ - [MAC Keys Transmission](#mac-keys-transmission)
27
+ - [Confidentiality of Requests](#confidentiality-of-requests)
28
+ - [Spoofing by Counterfeit Servers](#spoofing-by-counterfeit-servers)
29
+ - [Plaintext Storage of Credentials](#plaintext-storage-of-credentials)
30
+ - [Entropy of Keys](#entropy-of-keys)
31
+ - [Coverage Limitations](#coverage-limitations)
32
+ - [Future Time Manipulation](#future-time-manipulation)
33
+ - [Client Clock Poisoning](#client-clock-poisoning)
34
+ - [Bewit Limitations](#bewit-limitations)
35
+ - [Host Header Forgery](#host-header-forgery)
36
+ <p></p>
37
+ - [**Frequently Asked Questions**](#frequently-asked-questions)
38
+ <p></p>
39
+ - [**Implementations**](#implementations)
40
+ - [**Acknowledgements**](#acknowledgements)
41
+
42
+ # Introduction
43
+
44
+ **Hawk** is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with
45
+ partial cryptographic verification of the request and response, covering the HTTP method, request URI, host,
46
+ and optionally the request payload.
47
+
48
+ Similar to the HTTP [Digest access authentication schemes](http://www.ietf.org/rfc/rfc2617.txt), **Hawk** uses a set of
49
+ client credentials which include an identifier (e.g. username) and key (e.g. password). Likewise, just as with the Digest scheme,
50
+ the key is never included in authenticated requests. Instead, it is used to calculate a request MAC value which is
51
+ included in its place.
52
+
53
+ However, **Hawk** has several differences from Digest. In particular, while both use a nonce to limit the possibility of
54
+ replay attacks, in **Hawk** the client generates the nonce and uses it in combination with a timestamp, leading to less
55
+ "chattiness" (interaction with the server).
56
+
57
+ Also unlike Digest, this scheme is not intended to protect the key itself (the password in Digest) because
58
+ the client and server must both have access to the key material in the clear.
59
+
60
+ The primary design goals of this scheme are to:
61
+ * simplify and improve HTTP authentication for services that are unwilling or unable to deploy TLS for all resources,
62
+ * secure credentials against leakage (e.g., when the client uses some form of dynamic configuration to determine where
63
+ to send an authenticated request), and
64
+ * avoid the exposure of credentials sent to a malicious server over an unauthenticated secure channel due to client
65
+ failure to validate the server's identity as part of its TLS handshake.
66
+
67
+ In addition, **Hawk** supports a method for granting third-parties temporary access to individual resources using
68
+ a query parameter called _bewit_ (in falconry, a leather strap used to attach a tracking device to the leg of a hawk).
69
+
70
+ The **Hawk** scheme requires the establishment of a shared symmetric key between the client and the server,
71
+ which is beyond the scope of this module. Typically, the shared credentials are established via an initial
72
+ TLS-protected phase or derived from some other shared confidential information available to both the client
73
+ and the server.
74
+
75
+
76
+ ## Replay Protection
77
+
78
+ Without replay protection, an attacker can use a compromised (but otherwise valid and authenticated) request more
79
+ than once, gaining access to a protected resource. To mitigate this, clients include both a nonce and a timestamp when
80
+ making requests. This gives the server enough information to prevent replay attacks.
81
+
82
+ The nonce is generated by the client, and is a string unique across all requests with the same timestamp and
83
+ key identifier combination.
84
+
85
+ The timestamp enables the server to restrict the validity period of the credentials where requests occuring afterwards
86
+ are rejected. It also removes the need for the server to retain an unbounded number of nonce values for future checks.
87
+ By default, **Hawk** uses a time window of 1 minute to allow for time skew between the client and server (which in
88
+ practice translates to a maximum of 2 minutes as the skew can be positive or negative).
89
+
90
+ Using a timestamp requires the client's clock to be in sync with the server's clock. **Hawk** requires both the client
91
+ clock and the server clock to use NTP to ensure synchronization. However, given the limitations of some client types
92
+ (e.g. browsers) to deploy NTP, the server provides the client with its current time (in seconds precision) in response
93
+ to a bad timestamp.
94
+
95
+ There is no expectation that the client will adjust its system clock to match the server (in fact, this would be a
96
+ potential attack vector). Instead, the client only uses the server's time to calculate an offset used only
97
+ for communications with that particular server. The protocol rewards clients with synchronized clocks by reducing
98
+ the number of round trips required to authenticate the first request.
99
+
100
+
101
+ ## Usage Example
102
+
103
+ Server code:
104
+
105
+ ```javascript
106
+ var Http = require('http');
107
+ var Hawk = require('hawk');
108
+
109
+
110
+ // Credentials lookup function
111
+
112
+ var credentialsFunc = function (id, callback) {
113
+
114
+ var credentials = {
115
+ key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
116
+ algorithm: 'sha256',
117
+ user: 'Steve'
118
+ };
119
+
120
+ return callback(null, credentials);
121
+ };
122
+
123
+ // Create HTTP server
124
+
125
+ var handler = function (req, res) {
126
+
127
+ // Authenticate incoming request
128
+
129
+ Hawk.server.authenticate(req, credentialsFunc, {}, function (err, credentials, artifacts) {
130
+
131
+ // Prepare response
132
+
133
+ var payload = (!err ? 'Hello ' + credentials.user + ' ' + artifacts.ext : 'Shoosh!');
134
+ var headers = { 'Content-Type': 'text/plain' };
135
+
136
+ // Generate Server-Authorization response header
137
+
138
+ var header = Hawk.server.header(credentials, artifacts, { payload: payload, contentType: headers['Content-Type'] });
139
+ headers['Server-Authorization'] = header;
140
+
141
+ // Send the response back
142
+
143
+ res.writeHead(!err ? 200 : 401, headers);
144
+ res.end(payload);
145
+ });
146
+ };
147
+
148
+ // Start server
149
+
150
+ Http.createServer(handler).listen(8000, 'example.com');
151
+ ```
152
+
153
+ Client code:
154
+
155
+ ```javascript
156
+ var Request = require('request');
157
+ var Hawk = require('hawk');
158
+
159
+
160
+ // Client credentials
161
+
162
+ var credentials = {
163
+ id: 'dh37fgj492je',
164
+ key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
165
+ algorithm: 'sha256'
166
+ }
167
+
168
+ // Request options
169
+
170
+ var requestOptions = {
171
+ uri: 'http://example.com:8000/resource/1?b=1&a=2',
172
+ method: 'GET',
173
+ headers: {}
174
+ };
175
+
176
+ // Generate Authorization request header
177
+
178
+ var header = Hawk.client.header('http://example.com:8000/resource/1?b=1&a=2', 'GET', { credentials: credentials, ext: 'some-app-data' });
179
+ requestOptions.headers.Authorization = header.field;
180
+
181
+ // Send authenticated request
182
+
183
+ Request(requestOptions, function (error, response, body) {
184
+
185
+ // Authenticate the server's response
186
+
187
+ var isValid = Hawk.client.authenticate(response, credentials, header.artifacts, { payload: body });
188
+
189
+ // Output results
190
+
191
+ console.log(response.statusCode + ': ' + body + (isValid ? ' (valid)' : ' (invalid)'));
192
+ });
193
+ ```
194
+
195
+ **Hawk** utilized the [**SNTP**](https://github.com/hueniverse/sntp) module for time sync management. By default, the local
196
+ machine time is used. To automatically retrieve and synchronice the clock within the application, use the SNTP 'start()' method.
197
+
198
+ ```javascript
199
+ Hawk.sntp.start();
200
+ ```
201
+
202
+
203
+ ## Protocol Example
204
+
205
+ The client attempts to access a protected resource without authentication, sending the following HTTP request to
206
+ the resource server:
207
+
208
+ ```
209
+ GET /resource/1?b=1&a=2 HTTP/1.1
210
+ Host: example.com:8000
211
+ ```
212
+
213
+ The resource server returns an authentication challenge.
214
+
215
+ ```
216
+ HTTP/1.1 401 Unauthorized
217
+ WWW-Authenticate: Hawk
218
+ ```
219
+
220
+ The client has previously obtained a set of **Hawk** credentials for accessing resources on the "http://example.com/"
221
+ server. The **Hawk** credentials issued to the client include the following attributes:
222
+
223
+ * Key identifier: dh37fgj492je
224
+ * Key: werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn
225
+ * Algorithm: sha256
226
+
227
+ The client generates the authentication header by calculating a timestamp (e.g. the number of seconds since January 1,
228
+ 1970 00:00:00 GMT), generating a nonce, and constructing the normalized request string (each value followed by a newline
229
+ character):
230
+
231
+ ```
232
+ hawk.1.header
233
+ 1353832234
234
+ j4h3g2
235
+ GET
236
+ /resource/1?b=1&a=2
237
+ example.com
238
+ 8000
239
+
240
+ some-app-ext-data
241
+
242
+ ```
243
+
244
+ The request MAC is calculated using HMAC with the specified hash algorithm "sha256" and the key over the normalized request string.
245
+ The result is base64-encoded to produce the request MAC:
246
+
247
+ ```
248
+ 6R4rV5iE+NPoym+WwjeHzjAGXUtLNIxmo1vpMofpLAE=
249
+ ```
250
+
251
+ The client includes the **Hawk** key identifier, timestamp, nonce, application specific data, and request MAC with the request using
252
+ the HTTP `Authorization` request header field:
253
+
254
+ ```
255
+ GET /resource/1?b=1&a=2 HTTP/1.1
256
+ Host: example.com:8000
257
+ Authorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", ext="some-app-ext-data", mac="6R4rV5iE+NPoym+WwjeHzjAGXUtLNIxmo1vpMofpLAE="
258
+ ```
259
+
260
+ The server validates the request by calculating the request MAC again based on the request received and verifies the validity
261
+ and scope of the **Hawk** credentials. If valid, the server responds with the requested resource.
262
+
263
+
264
+ ### Payload Validation
265
+
266
+ **Hawk** provides optional payload validation. When generating the authentication header, the client calculates a payload hash
267
+ using the specified hash algorithm. The hash is calculated over the concatenated value of (each followed by a newline character):
268
+ * `hawk.1.payload`
269
+ * the content-type in lowercase, without any parameters (e.g. `application/json`)
270
+ * the request payload prior to any content encoding (the exact representation requirements should be specified by the server for payloads other than simple single-part ascii to ensure interoperability)
271
+
272
+ For example:
273
+
274
+ * Payload: `Thank you for flying Hawk`
275
+ * Content Type: `text/plain`
276
+ * Hash (sha256): `Yi9LfIIFRtBEPt74PVmbTF/xVAwPn7ub15ePICfgnuY=`
277
+
278
+ Results in the following input to the payload hash function (newline terminated values):
279
+
280
+ ```
281
+ hawk.1.payload
282
+ text/plain
283
+ Thank you for flying Hawk
284
+
285
+ ```
286
+
287
+ Which produces the following hash value:
288
+
289
+ ```
290
+ Yi9LfIIFRtBEPt74PVmbTF/xVAwPn7ub15ePICfgnuY=
291
+ ```
292
+
293
+ The client constructs the normalized request string (newline terminated values):
294
+
295
+ ```
296
+ hawk.1.header
297
+ 1353832234
298
+ j4h3g2
299
+ POST
300
+ /resource/1?a=1&b=2
301
+ example.com
302
+ 8000
303
+ Yi9LfIIFRtBEPt74PVmbTF/xVAwPn7ub15ePICfgnuY=
304
+ some-app-ext-data
305
+
306
+ ```
307
+
308
+ Then calculates the request MAC and includes the **Hawk** key identifier, timestamp, nonce, payload hash, application specific data,
309
+ and request MAC, with the request using the HTTP `Authorization` request header field:
310
+
311
+ ```
312
+ POST /resource/1?a=1&b=2 HTTP/1.1
313
+ Host: example.com:8000
314
+ Authorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", hash="Yi9LfIIFRtBEPt74PVmbTF/xVAwPn7ub15ePICfgnuY=", ext="some-app-ext-data", mac="aSe1DERmZuRl3pI36/9BdZmnErTw3sNzOOAUlfeKjVw="
315
+ ```
316
+
317
+ It is up to the server if and when it validates the payload for any given request, based solely on it's security policy
318
+ and the nature of the data included.
319
+
320
+ If the payload is available at the time of authentication, the server uses the hash value provided by the client to construct
321
+ the normalized string and validates the MAC. If the MAC is valid, the server calculates the payload hash and compares the value
322
+ with the provided payload hash in the header. In many cases, checking the MAC first is faster than calculating the payload hash.
323
+
324
+ However, if the payload is not available at authentication time (e.g. too large to fit in memory, streamed elsewhere, or processed
325
+ at a different stage in the application), the server may choose to defer payload validation for later by retaining the hash value
326
+ provided by the client after validating the MAC.
327
+
328
+ It is important to note that MAC validation does not mean the hash value provided by the client is valid, only that the value
329
+ included in the header was not modified. Without calculating the payload hash on the server and comparing it to the value provided
330
+ by the client, the payload may be modified by an attacker.
331
+
332
+
333
+ ## Response Payload Validation
334
+
335
+ **Hawk** provides partial response payload validation. The server includes the `Server-Authorization` response header which enables the
336
+ client to authenticate the response and ensure it is talking to the right server. **Hawk** defines the HTTP `Server-Authorization` header
337
+ as a response header using the exact same syntax as the `Authorization` request header field.
338
+
339
+ The header is contructed using the same process as the client's request header. The server uses the same credentials and other
340
+ artifacts provided by the client to constructs the normalized request string. The `ext` and `hash` values are replaced with
341
+ new values based on the server response. The rest as identical to those used by the client.
342
+
343
+ The result MAC digest is included with the optional `hash` and `ext` values:
344
+
345
+ ```
346
+ Server-Authorization: Hawk mac="XIJRsMl/4oL+nn+vKoeVZPdCHXB4yJkNnBbTbHFZUYE=", hash="f9cDF/TDm7TkYRLnGwRMfeDzT6LixQVLvrIKhh0vgmM=", ext="response-specific"
347
+ ```
348
+
349
+
350
+ ## Browser Support and Considerations
351
+
352
+ A browser script is provided for including using a `<script>` tag in [lib/browser.js](/lib/browser.js). It's also a [component](http://component.io/hueniverse/hawk).
353
+
354
+ **Hawk** relies on the _Server-Authorization_ and _WWW-Authenticate_ headers in its response to communicate with the client.
355
+ Therefore, in case of CORS requests, it is important to consider sending _Access-Control-Expose-Headers_ with the value
356
+ _"WWW-Authenticate, Server-Authorization"_ on each response from your server. As explained in the
357
+ [specifications](http://www.w3.org/TR/cors/#access-control-expose-headers-response-header), it will indicate that these headers
358
+ can safely be accessed by the client (using getResponseHeader() on the XmlHttpRequest object). Otherwise you will be met with a
359
+ ["simple response header"](http://www.w3.org/TR/cors/#simple-response-header) which excludes these fields and would prevent the
360
+ Hawk client from authenticating the requests.You can read more about the why and how in this
361
+ [article](http://www.html5rocks.com/en/tutorials/cors/#toc-adding-cors-support-to-the-server)
362
+
363
+
364
+ # Single URI Authorization
365
+
366
+ There are cases in which limited and short-term access to a protected resource is granted to a third party which does not
367
+ have access to the shared credentials. For example, displaying a protected image on a web page accessed by anyone. **Hawk**
368
+ provides limited support for such URIs in the form of a _bewit_ - a URI query parameter appended to the request URI which contains
369
+ the necessary credentials to authenticate the request.
370
+
371
+ Because of the significant security risks involved in issuing such access, bewit usage is purposely limited only to GET requests
372
+ and for a finite period of time. Both the client and server can issue bewit credentials, however, the server should not use the same
373
+ credentials as the client to maintain clear traceability as to who issued which credentials.
374
+
375
+ In order to simplify implementation, bewit credentials do not support single-use policy and can be replayed multiple times within
376
+ the granted access timeframe.
377
+
378
+
379
+ ## Bewit Usage Example
380
+
381
+ Server code:
382
+
383
+ ```javascript
384
+ var Http = require('http');
385
+ var Hawk = require('hawk');
386
+
387
+
388
+ // Credentials lookup function
389
+
390
+ var credentialsFunc = function (id, callback) {
391
+
392
+ var credentials = {
393
+ key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
394
+ algorithm: 'sha256'
395
+ };
396
+
397
+ return callback(null, credentials);
398
+ };
399
+
400
+ // Create HTTP server
401
+
402
+ var handler = function (req, res) {
403
+
404
+ Hawk.uri.authenticate(req, credentialsFunc, {}, function (err, credentials, attributes) {
405
+
406
+ res.writeHead(!err ? 200 : 401, { 'Content-Type': 'text/plain' });
407
+ res.end(!err ? 'Access granted' : 'Shoosh!');
408
+ });
409
+ };
410
+
411
+ Http.createServer(handler).listen(8000, 'example.com');
412
+ ```
413
+
414
+ Bewit code generation:
415
+
416
+ ```javascript
417
+ var Request = require('request');
418
+ var Hawk = require('hawk');
419
+
420
+
421
+ // Client credentials
422
+
423
+ var credentials = {
424
+ id: 'dh37fgj492je',
425
+ key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',
426
+ algorithm: 'sha256'
427
+ }
428
+
429
+ // Generate bewit
430
+
431
+ var duration = 60 * 5; // 5 Minutes
432
+ var bewit = Hawk.uri.getBewit('http://example.com:8080/resource/1?b=1&a=2', { credentials: credentials, ttlSec: duration, ext: 'some-app-data' });
433
+ var uri = 'http://example.com:8000/resource/1?b=1&a=2' + '&bewit=' + bewit;
434
+ ```
435
+
436
+
437
+ # Security Considerations
438
+
439
+ The greatest sources of security risks are usually found not in **Hawk** but in the policies and procedures surrounding its use.
440
+ Implementers are strongly encouraged to assess how this module addresses their security requirements. This section includes
441
+ an incomplete list of security considerations that must be reviewed and understood before deploying **Hawk** on the server.
442
+ Many of the protections provided in **Hawk** depends on whether and how they are used.
443
+
444
+ ### MAC Keys Transmission
445
+
446
+ **Hawk** does not provide any mechanism for obtaining or transmitting the set of shared credentials required. Any mechanism used
447
+ to obtain **Hawk** credentials must ensure that these transmissions are protected using transport-layer mechanisms such as TLS.
448
+
449
+ ### Confidentiality of Requests
450
+
451
+ While **Hawk** provides a mechanism for verifying the integrity of HTTP requests, it provides no guarantee of request
452
+ confidentiality. Unless other precautions are taken, eavesdroppers will have full access to the request content. Servers should
453
+ carefully consider the types of data likely to be sent as part of such requests, and employ transport-layer security mechanisms
454
+ to protect sensitive resources.
455
+
456
+ ### Spoofing by Counterfeit Servers
457
+
458
+ **Hawk** provides limited verification of the server authenticity. When receiving a response back from the server, the server
459
+ may choose to include a response `Server-Authorization` header which the client can use to verify the response. However, it is up to
460
+ the server to determine when such measure is included, to up to the client to enforce that policy.
461
+
462
+ A hostile party could take advantage of this by intercepting the client's requests and returning misleading or otherwise
463
+ incorrect responses. Service providers should consider such attacks when developing services using this protocol, and should
464
+ require transport-layer security for any requests where the authenticity of the resource server or of server responses is an issue.
465
+
466
+ ### Plaintext Storage of Credentials
467
+
468
+ The **Hawk** key functions the same way passwords do in traditional authentication systems. In order to compute the request MAC,
469
+ the server must have access to the key in plaintext form. This is in contrast, for example, to modern operating systems, which
470
+ store only a one-way hash of user credentials.
471
+
472
+ If an attacker were to gain access to these keys - or worse, to the server's database of all such keys - he or she would be able
473
+ to perform any action on behalf of any resource owner. Accordingly, it is critical that servers protect these keys from unauthorized
474
+ access.
475
+
476
+ ### Entropy of Keys
477
+
478
+ Unless a transport-layer security protocol is used, eavesdroppers will have full access to authenticated requests and request
479
+ MAC values, and will thus be able to mount offline brute-force attacks to recover the key used. Servers should be careful to
480
+ assign keys which are long enough, and random enough, to resist such attacks for at least the length of time that the **Hawk**
481
+ credentials are valid.
482
+
483
+ For example, if the credentials are valid for two weeks, servers should ensure that it is not possible to mount a brute force
484
+ attack that recovers the key in less than two weeks. Of course, servers are urged to err on the side of caution, and use the
485
+ longest key reasonable.
486
+
487
+ It is equally important that the pseudo-random number generator (PRNG) used to generate these keys be of sufficiently high
488
+ quality. Many PRNG implementations generate number sequences that may appear to be random, but which nevertheless exhibit
489
+ patterns or other weaknesses which make cryptanalysis or brute force attacks easier. Implementers should be careful to use
490
+ cryptographically secure PRNGs to avoid these problems.
491
+
492
+ ### Coverage Limitations
493
+
494
+ The request MAC only covers the HTTP `Host` header and optionally the `Content-Type` header. It does not cover any other headers
495
+ which can often affect how the request body is interpreted by the server. If the server behavior is influenced by the presence
496
+ or value of such headers, an attacker can manipulate the request headers without being detected. Implementers should use the
497
+ `ext` feature to pass application-specific information via the `Authorization` header which is protected by the request MAC.
498
+
499
+ The response authentication, when performed, only covers the response payload, content-type, and the request information
500
+ provided by the client in it's request (method, resource, timestamp, nonce, etc.). It does not cover the HTTP status code or
501
+ any other response header field (e.g. Location) which can affect the client's behaviour.
502
+
503
+ ### Future Time Manipulation
504
+
505
+ The protocol relies on a clock sync between the client and server. To accomplish this, the server informs the client of its
506
+ current time when an invalid timestamp is received.
507
+
508
+ If an attacker is able to manipulate this information and cause the client to use an incorrect time, it would be able to cause
509
+ the client to generate authenticated requests using time in the future. Such requests will fail when sent by the client, and will
510
+ not likely leave a trace on the server (given the common implementation of nonce, if at all enforced). The attacker will then
511
+ be able to replay the request at the correct time without detection.
512
+
513
+ The client must only use the time information provided by the server if:
514
+ * it was delivered over a TLS connection and the server identity has been verified, or
515
+ * the `tsm` MAC digest calculated using the same client credentials over the timestamp has been verified.
516
+
517
+ ### Client Clock Poisoning
518
+
519
+ When receiving a request with a bad timestamp, the server provides the client with its current time. The client must never use
520
+ the time received from the server to adjust its own clock, and must only use it to calculate an offset for communicating with
521
+ that particular server.
522
+
523
+ ### Bewit Limitations
524
+
525
+ Special care must be taken when issuing bewit credentials to third parties. Bewit credentials are valid until expiration and cannot
526
+ be revoked or limited without using other means. Whatever resource they grant access to will be completely exposed to anyone with
527
+ access to the bewit credentials which act as bearer credentials for that particular resource. While bewit usage is limited to GET
528
+ requests only and therefore cannot be used to perform transactions or change server state, it can still be used to expose private
529
+ and sensitive information.
530
+
531
+ ### Host Header Forgery
532
+
533
+ Hawk validates the incoming request MAC against the incoming HTTP Host header. However, unless the optional `host` and `port`
534
+ options are used with `server.authenticate()`, a malicous client can mint new host names pointing to the server's IP address and
535
+ use that to craft an attack by sending a valid request that's meant for another hostname than the one used by the server. Server
536
+ implementors must manually verify that the host header received matches their expectation (or use the options mentioned above).
537
+
538
+ # Frequently Asked Questions
539
+
540
+ ### Where is the protocol specification?
541
+
542
+ If you are looking for some prose explaining how all this works, **this is it**. **Hawk** is being developed as an open source
543
+ project instead of a standard. In other words, the [code](/hueniverse/hawk/tree/master/lib) is the specification. Not sure about
544
+ something? Open an issue!
545
+
546
+ ### Is it done?
547
+
548
+ As of version 0.10.0, **Hawk** is feature-complete. However, until this module reaches version 1.0.0 it is considered experimental
549
+ and is likely to change. This also means your feedback and contribution are very welcome. Feel free to open issues with questions
550
+ and suggestions.
551
+
552
+ ### Where can I find **Hawk** implementations in other languages?
553
+
554
+ **Hawk**'s only reference implementation is provided in JavaScript as a node.js module. However, it has been ported to other languages.
555
+ The full list is maintained [here](https://github.com/hueniverse/hawk/issues?labels=port&state=closed). Please add an issue if you are
556
+ working on another port. A cross-platform test-suite is in the works.
557
+
558
+ ### Why isn't the algorithm part of the challenge or dynamically negotiated?
559
+
560
+ The algorithm used is closely related to the key issued as different algorithms require different key sizes (and other
561
+ requirements). While some keys can be used for multiple algorithm, the protocol is designed to closely bind the key and algorithm
562
+ together as part of the issued credentials.
563
+
564
+ ### Why is Host and Content-Type the only headers covered by the request MAC?
565
+
566
+ It is really hard to include other headers. Headers can be changed by proxies and other intermediaries and there is no
567
+ well-established way to normalize them. Many platforms change the case of header field names and values. The only
568
+ straight-forward solution is to include the headers in some blob (say, base64 encoded JSON) and include that with the request,
569
+ an approach taken by JWT and other such formats. However, that design violates the HTTP header boundaries, repeats information,
570
+ and introduces other security issues because firewalls will not be aware of these "hidden" headers. In addition, any information
571
+ repeated must be compared to the duplicated information in the header and therefore only moves the problem elsewhere.
572
+
573
+ ### Why not just use HTTP Digest?
574
+
575
+ Digest requires pre-negotiation to establish a nonce. This means you can't just make a request - you must first send
576
+ a protocol handshake to the server. This pattern has become unacceptable for most web services, especially mobile
577
+ where extra round-trip are costly.
578
+
579
+ ### Why bother with all this nonce and timestamp business?
580
+
581
+ **Hawk** is an attempt to find a reasonable, practical compromise between security and usability. OAuth 1.0 got timestamp
582
+ and nonces halfway right but failed when it came to scalability and consistent developer experience. **Hawk** addresses
583
+ it by requiring the client to sync its clock, but provides it with tools to accomplish it.
584
+
585
+ In general, replay protection is a matter of application-specific threat model. It is less of an issue on a TLS-protected
586
+ system where the clients are implemented using best practices and are under the control of the server. Instead of dropping
587
+ replay protection, **Hawk** offers a required time window and an optional nonce verification. Together, it provides developers
588
+ with the ability to decide how to enforce their security policy without impacting the client's implementation.
589
+
590
+ ### What are `app` and `dlg` in the authorization header and normalized mac string?
591
+
592
+ The original motivation for **Hawk** was to replace the OAuth 1.0 use cases. This included both a simple client-server mode which
593
+ this module is specifically designed for, and a delegated access mode which is being developed separately in
594
+ [Oz](https://github.com/hueniverse/oz). In addition to the **Hawk** use cases, Oz requires another attribute: the application id `app`.
595
+ This provides binding between the credentials and the application in a way that prevents an attacker from tricking an application
596
+ to use credentials issued to someone else. It also has an optional 'delegated-by' attribute `dlg` which is the application id of the
597
+ application the credentials were directly issued to. The goal of these two additions is to allow Oz to utilize **Hawk** directly,
598
+ but with the additional security of delegated credentials.
599
+
600
+ ### What is the purpose of the static strings used in each normalized MAC input?
601
+
602
+ When calculating a hash or MAC, a static prefix (tag) is added. The prefix is used to prevent MAC values from being
603
+ used or reused for a purpose other than what they were created for (i.e. prevents switching MAC values between a request,
604
+ response, and a bewit use cases). It also protects against exploits created after a potential change in how the protocol
605
+ creates the normalized string. For example, if a future version would switch the order of nonce and timestamp, it
606
+ can create an exploit opportunity for cases where the nonce is similar in format to a timestamp.
607
+
608
+ ### Does **Hawk** have anything to do with OAuth?
609
+
610
+ Short answer: no.
611
+
612
+ **Hawk** was originally proposed as the OAuth MAC Token specification. However, the OAuth working group in its consistent
613
+ incompetence failed to produce a final, usable solution to address one of the most popular use cases of OAuth 1.0 - using it
614
+ to authenticate simple client-server transactions (i.e. two-legged). As you can guess, the OAuth working group is still hard
615
+ at work to produce more garbage.
616
+
617
+ **Hawk** provides a simple HTTP authentication scheme for making client-server requests. It does not address the OAuth use case
618
+ of delegating access to a third party. If you are looking for an OAuth alternative, check out [Oz](https://github.com/hueniverse/oz).
619
+
620
+ # Implementations
621
+
622
+ - [Logibit Hawk in F#/.Net](https://github.com/logibit/logibit.hawk/)
623
+ - [Tent Hawk in Ruby](https://github.com/tent/hawk-ruby)
624
+ - [Wealdtech in Java](https://github.com/wealdtech/hawk)
625
+ - [Kumar's Mohawk in Python](https://github.com/kumar303/mohawk/)
626
+
627
+ # Acknowledgements
628
+
629
+ **Hawk** is a derivative work of the [HTTP MAC Authentication Scheme](http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-05) proposal
630
+ co-authored by Ben Adida, Adam Barth, and Eran Hammer, which in turn was based on the OAuth 1.0 community specification.
631
+
632
+ Special thanks to Ben Laurie for his always insightful feedback and advice.
633
+
634
+ The **Hawk** logo was created by [Chris Carrasco](http://chriscarrasco.com).