Class: Warden::Strategies::HMAC::Header

Inherits:

Base

• Object
• Base
• Base
• Warden::Strategies::HMAC::Header

Defined in:

lib/hmac/strategies/header.rb

Overview

Implements header-based hmac authentication for warden. The strategy is registered as ‘:hmac_header` in the warden strategy list.

Author:

• Felix Gilcher <felix.gilcher@asquera.de>

Instance Method Summary

• #given_signature ⇒ String

  retrieve the signature from the request.

• #nonce ⇒ String

  retrieve the nonce from the request.

• #parsed_auth_header ⇒ Hash

  parses the authentication header from the request using the regexp or proc given in the :auth_header_parse option.

• #request_timestamp ⇒ String

  retrieve the request timestamp as string.

• #signature_valid? ⇒ Bool

  Check that the signature given in the request is valid.

• #valid? ⇒ Bool

  Checks that this strategy applies.

Methods inherited from Base

#authenticate!, #debug, #headers, #logger, #params, #request_method, #retrieve_user

Instance Method Details

#given_signature ⇒ String

retrieve the signature from the request

Returns:

• (String) —

  The signature from the request

# File 'lib/hmac/strategies/header.rb', line 55

def given_signature
  parsed_auth_header['signature']
end

#nonce ⇒ String

retrieve the nonce from the request

Returns:

• (String) —

  The nonce or an empty string if no nonce was given in the request

# File 'lib/hmac/strategies/header.rb', line 75

def nonce
  headers[nonce_header_name]
end

#parsed_auth_header ⇒ Hash

parses the authentication header from the request using the regexp or proc given in the :auth_header_parse option. The result is memoized

Returns:

• (Hash) —

  The parsed header

# File 'lib/hmac/strategies/header.rb', line 64

def parsed_auth_header
  if @parsed_auth_header.nil?
    @parsed_auth_header = auth_header_parse.match(headers[auth_header]) || {}
  end
  
  @parsed_auth_header
end

#request_timestamp ⇒ String

retrieve the request timestamp as string

Returns:

• (String) —

  The request timestamp or an empty string if no timestamp was given in the request

# File 'lib/hmac/strategies/header.rb', line 82

def request_timestamp
  headers[date_header]
end

#signature_valid? ⇒ Bool

Check that the signature given in the request is valid.

Returns:

• (Bool) —

  true if the request is valid

# File 'lib/hmac/strategies/header.rb', line 26

def signature_valid?
    
  #:method => "GET",
  #:date => "Mon, 20 Jun 2011 12:06:11 GMT",
  #:nonce => "TESTNONCE",
  #:path => "/example",
  #:query => {
  #  "foo" => "bar",
  #  "baz" => "foobared"
  #},
  #:headers => {
  #  "Content-Type" => "application/json;charset=utf8",
  #  "Content-MD5" => "d41d8cd98f00b204e9800998ecf8427e"
  #}
    
  hmac.validate_signature(given_signature, {
    :secret => secret,
    :method => request_method,
    :date => request_timestamp,
    :nonce => nonce,
    :path => request.path,
    :query => params,
    :headers => headers.select {|name, value| optional_headers.include? name}
  })
end

#valid? ⇒ Bool

Checks that this strategy applies. Tests that the required authentication information was given.

Returns:

• (Bool) —

  true if all required authentication information is available in the request

See Also:

• https://github.com/hassox/warden/wiki/Strategies

# File 'lib/hmac/strategies/header.rb', line 17

def valid?
  valid = required_headers.all? { |h| headers.include?(h) } && headers.include?("AUTHORIZATION") && has_timestamp?
  valid = valid && scheme_valid?
  valid
end