npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

passport-hmac

v1.0.4

Published

HMAC authentication strategy for Passport

Downloads

322

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

curtishattercurtishatter

Keywords

passportstrategyhmacauthauthnauthenticationidentity

Readme

Codeship Code Climate Coveralls Dependencies devDependencies License

passport-hmac

HMAC authentication strategy for Passport.

This module lets you authenticate HTTP requests using AWS Signature 2 style HMAC encryption in your Node.js application. This authentication method is typically used to protect RESTful API endpoints.

By plugging into Passport, HMAC authentication support can be easily and unobtrusively integrated into any application or framework that supports Connect-style middleware, including Express and Koa.

Authentication Header

The HMAC authentication strategy authenticates users using an HTTP authorization header with 3 pieces: The identifier, the public key, and the signature.

The identifier can be anything you like, for example in AWS the identifier is 'AWS'. This value is not currently used, but in the future it is intended to be made available as another source of validating the request -- if needed.

The second piece is the public key, that typically is provided by the identifier of the service being authenticated against.

The signature is the final piece and is a RFC 2104 HMAC-SHA1 of selected parts of the request. If the request signature calculated by the service matches the signature provided in the authentication header, the requester will have shown they have possession of the identifier's secret access key.

Following is psuedogrammer adapted from AWS Signature 2 documentation.

Authorization = "identifier" + " " + publicKey + ":" + signature;

signature = Base64( HMAC-SHA1( YourSecretAccessKeyID, UTF-8-Encoding-Of( StringToSign ) ) );

StringToSign = HTTP-Verb + "\n" +
	Content-MD5 + "\n" +
	Content-Type + "\n" +
	Date + "\n";

The elements in StrinToSign are positional in nature. The names of the headers are not included, only their values. If a positional header is not present in the request (for example, Content-Type or Content-MD5 are meaningless in a GET request), substitute an empty string for that position.

TODO: implement Time Stamp Requirement

Install

$ npm install passport-hmac

Usage

Configure Strategy

This strategy requires a verify callback, which accepts three parameters: The request, publicKey, and a done callback.

The verify callback can be supplied with the request the passReqToCallback option to true, this sets the request as the first parameter instead of the publicKey.

The publicKey is used to lookup a user within the system to find their private key to compare the signature.

The done callback MUST be called at some point and should contain an error, false if a user is not found, or the user and private key if the user was found.

passport.use(new HmacStrategy(
  function(publicKey, done) {
    User.findOne({ publicKey: publicKey }, function(err, user) {
      if (err) { return done(err); }
      if (!user) { return done(null, false); }
      return done(null, user, privateKey);
    });
  }
));

Available options

This strategy takes an optional options hash before the function, e.g., new HmacStrategy({/* options */}, callback).

The available options are:

  • passReqToCallback - Optional, defaults to false. Setting this to true will return the request as the first parameter to the supplied callback.
  • badRequestMessage - Optional, defaults to null. If set, will be used in place of the default error messages returned when an error occurs.

Authenticate Requests

Use passport.authenticate(), specifying the 'hmac' strategy, to authenticate requests.

For example, as route middleware in an Express application:

app.post('/profile',
  passport.authenticate('hmac'),
  function(req, res) {
    res.json(req.user);
  }
});

Examples

TODO: write some Examples

Tests

$ npm install
$ npm test

Credits

License

The MIT License