Repository files navigation

EasyHTTP Signature authentication support for theDjango REST framework.

The HTTP Signature scheme provides a way to achieve origin authentication and message integrity for HTTP messages. Similar to Amazon'sHTTP Signature scheme, used by many of its services. TheHTTP Signature specification is currently an IETF draft.

• Python 2.7, 3.3+ (currently tested up to 3.4)
• httpsig

This module uses setuptools and is hosted on PyPi so installation is as easy as:

pip install drf-httpsig

This should also install thehttpsig module which houses all the magic; this module is pure DRF glue (as it should be).

You can also run setup.py from inside a clone of the repository:

python setup.py install

Note that if you do so, modules with a version requirement may attempt to re-install the module as versioneer may report a different version, especially if your clone of the repo has any uncommitted/untagged changes.

To run the tests for the module, use the following command on the repository root directory:

python setup.py test

Note that testing depends on django-nose, which will be installed before testing. You may also run the tests with tox using the included tox.ini file which has the benefit of keeping all testing dependances in a venv automatically.:

tox -e py27,py32,...

To actually authenticate HTTP requests with this module, you need to extend theSignatureAuthentication class, as follows:

# my_api/auth.pyfromdrf_httpsig.authenticationimportSignatureAuthenticationclassMyAPISignatureAuthentication(SignatureAuthentication):# The HTTP header used to pass the consumer key ID.# A method to fetch (User instance, user_secret_string) from the# consumer key ID, or None in case it is not found. Algorithm# will be what the client has sent, in the case that both RSA# and HMAC are supported at your site (and also for expansion).deffetch_user_data(self,key_id,algorithm="hmac-sha256"):# ...# example implementation:try:user=User.objects.get(keyId=key_id,algo=algorithm)return (user,user.secret)exceptUser.DoesNotExist:return (None,None)

4. Configure DRF to use your authentication class; e.g.:

# my_project/settings.py# ...REST_FRAMEWORK= {'DEFAULT_AUTHENTICATION_CLASSES': ('my_api.auth.MyAPISignatureAuthentication',    ),'DEFAULT_PERMISSION_CLASSES': ('rest_framework.permissions.IsAuthenticated',    )}# The above will force HTTP signature for all requests.# ...

Please file any issues in theissue tracker. You are also welcome to contribute features and fixes via pull requests.

Assuming the setup detailed above, a project running onlocalhost:8000 could be probed with cURL as follows:

# Pre-calculate this first bit.~$ SSS=Base64(Hmac(SECRET, "Date: Mon, 17 Feb 2014 06:11:05 GMT", SHA256))~$ curl -v -H 'Date: "Mon, 17 Feb 2014 06:11:05 GMT"' -H 'Authorization: Signature keyId="my-key",algorithm="hmac-sha256",headers="date",signature="SSS"'

And, with much less pain, using the modulesrequests andhttpsig:

importrequestsfromhttpsig.requests_authimportHTTPSignatureAuthKEY_ID='su-key'SECRET='my secret string'signature_headers= ['(request-target)','accept','date','host']headers= {'Host':'localhost:8000','Accept':'application/json','Date':"Mon, 17 Feb 2014 06:11:05 GMT"}auth=HTTPSignatureAuth(key_id=KEY_ID,secret=SECRET,algorithm='hmac-sha256',headers=signature_headers)req=requests.get('http://localhost:8000/resource/',auth=auth,headers=headers)print(req.content)