diff options
| author | Arman Shah <[email protected]> | 2018-02-19 23:50:04 -0800 |
|---|---|---|
| committer | Arman Shah <[email protected]> | 2018-02-19 23:50:04 -0800 |
| commit | ae34dcfd3823a609ba7182f2d6eda593be876f7d (patch) | |
| tree | b9d7f2884c4999349418cbdc4f9ab46d113e0afd /node_modules/hawk | |
| parent | Initial commit (diff) | |
| download | launcher-ae34dcfd3823a609ba7182f2d6eda593be876f7d.tar.xz launcher-ae34dcfd3823a609ba7182f2d6eda593be876f7d.zip | |
add base files
Diffstat (limited to 'node_modules/hawk')
| -rwxr-xr-x | node_modules/hawk/.npmignore | 5 | ||||
| -rwxr-xr-x | node_modules/hawk/LICENSE | 28 | ||||
| -rwxr-xr-x | node_modules/hawk/README.md | 637 | ||||
| -rwxr-xr-x | node_modules/hawk/client.js | 3 | ||||
| -rw-r--r-- | node_modules/hawk/dist/browser.js | 793 | ||||
| -rwxr-xr-x | node_modules/hawk/lib/browser.js | 653 | ||||
| -rwxr-xr-x | node_modules/hawk/lib/client.js | 394 | ||||
| -rwxr-xr-x | node_modules/hawk/lib/crypto.js | 128 | ||||
| -rwxr-xr-x | node_modules/hawk/lib/index.js | 17 | ||||
| -rwxr-xr-x | node_modules/hawk/lib/server.js | 550 | ||||
| -rwxr-xr-x | node_modules/hawk/lib/utils.js | 186 | ||||
| -rwxr-xr-x | node_modules/hawk/package.json | 78 |
12 files changed, 3472 insertions, 0 deletions
diff --git a/node_modules/hawk/.npmignore b/node_modules/hawk/.npmignore new file mode 100755 index 0000000..7144676 --- /dev/null +++ b/node_modules/hawk/.npmignore @@ -0,0 +1,5 @@ +*
+!lib/**
+!dist/**
+!client.js
+!.npmignore
diff --git a/node_modules/hawk/LICENSE b/node_modules/hawk/LICENSE new file mode 100755 index 0000000..b43dce1 --- /dev/null +++ b/node_modules/hawk/LICENSE @@ -0,0 +1,28 @@ +Copyright (c) 2012-2017, Eran Hammer and Project contributors +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * The names of any contributors may not be used to endorse or promote + products derived from this software without specific prior written + permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS AND CONTRIBUTORS BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + * * * + +The complete list of contributors can be found at: https://github.com/hueniverse/hawk/graphs/contributors diff --git a/node_modules/hawk/README.md b/node_modules/hawk/README.md new file mode 100755 index 0000000..fc5dd6d --- /dev/null +++ b/node_modules/hawk/README.md @@ -0,0 +1,637 @@ + + +<img align="right" src="https://raw.github.com/hueniverse/hawk/master/images/logo.png" /> **Hawk** is an HTTP authentication scheme using a message authentication code (MAC) algorithm to provide partial +HTTP request cryptographic verification. For more complex use cases such as access delegation, see [Oz](https://github.com/hueniverse/oz). + +Current version: **6.x** + +Note: 6.x, 5.x, 4.x, 3.x, and 2.x are the same exact protocol as 1.1. The version increments reflect changes in the node API. + +[](https://travis-ci.org/hueniverse/hawk) + +# Table of Content + +- [**Introduction**](#introduction) + - [Replay Protection](#replay-protection) + - [Usage Example](#usage-example) + - [Protocol Example](#protocol-example) + - [Payload Validation](#payload-validation) + - [Response Payload Validation](#response-payload-validation) + - [Browser Support and Considerations](#browser-support-and-considerations) +- [**Single URI Authorization**](#single-uri-authorization) + - [Usage Example](#bewit-usage-example) +- [**Security Considerations**](#security-considerations) + - [MAC Keys Transmission](#mac-keys-transmission) + - [Confidentiality of Requests](#confidentiality-of-requests) + - [Spoofing by Counterfeit Servers](#spoofing-by-counterfeit-servers) + - [Plaintext Storage of Credentials](#plaintext-storage-of-credentials) + - [Entropy of Keys](#entropy-of-keys) + - [Coverage Limitations](#coverage-limitations) + - [Future Time Manipulation](#future-time-manipulation) + - [Client Clock Poisoning](#client-clock-poisoning) + - [Bewit Limitations](#bewit-limitations) + - [Host Header Forgery](#host-header-forgery) +- [**Frequently Asked Questions**](#frequently-asked-questions) +- [**Implementations**](#implementations) +- [**Acknowledgements**](#acknowledgements) + +# Introduction + +**Hawk** is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with +partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, +and optionally the request payload. + +Similar to the HTTP [Digest access authentication schemes](http://www.ietf.org/rfc/rfc2617.txt), **Hawk** uses a set of +client credentials which include an identifier (e.g. username) and key (e.g. password). Likewise, just as with the Digest scheme, +the key is never included in authenticated requests. Instead, it is used to calculate a request MAC value which is +included in its place. + +However, **Hawk** has several differences from Digest. In particular, while both use a nonce to limit the possibility of +replay attacks, in **Hawk** the client generates the nonce and uses it in combination with a timestamp, leading to less +"chattiness" (interaction with the server). + +Also unlike Digest, this scheme is not intended to protect the key itself (the password in Digest) because +the client and server must both have access to the key material in the clear. + +The primary design goals of this scheme are to: +* simplify and improve HTTP authentication for services that are unwilling or unable to deploy TLS for all resources, +* secure credentials against leakage (e.g., when the client uses some form of dynamic configuration to determine where + to send an authenticated request), and +* avoid the exposure of credentials sent to a malicious server over an unauthenticated secure channel due to client + failure to validate the server's identity as part of its TLS handshake. + +In addition, **Hawk** supports a method for granting third-parties temporary access to individual resources using +a query parameter called _bewit_ (in falconry, a leather strap used to attach a tracking device to the leg of a hawk). + +The **Hawk** scheme requires the establishment of a shared symmetric key between the client and the server, +which is beyond the scope of this module. Typically, the shared credentials are established via an initial +TLS-protected phase or derived from some other shared confidential information available to both the client +and the server. + + +## Replay Protection + +Without replay protection, an attacker can use a compromised (but otherwise valid and authenticated) request more +than once, gaining access to a protected resource. To mitigate this, clients include both a nonce and a timestamp when +making requests. This gives the server enough information to prevent replay attacks. + +The nonce is generated by the client, and is a string unique across all requests with the same timestamp and +key identifier combination. + +The timestamp enables the server to restrict the validity period of the credentials where requests occurring afterwards +are rejected. It also removes the need for the server to retain an unbounded number of nonce values for future checks. +By default, **Hawk** uses a time window of 1 minute to allow for time skew between the client and server (which in +practice translates to a maximum of 2 minutes as the skew can be positive or negative). + +Using a timestamp requires the client's clock to be in sync with the server's clock. **Hawk** requires both the client +clock and the server clock to use NTP to ensure synchronization. However, given the limitations of some client types +(e.g. browsers) to deploy NTP, the server provides the client with its current time (in seconds precision) in response +to a bad timestamp. + +There is no expectation that the client will adjust its system clock to match the server (in fact, this would be a +potential attack vector). Instead, the client only uses the server's time to calculate an offset used only +for communications with that particular server. The protocol rewards clients with synchronized clocks by reducing +the number of round trips required to authenticate the first request. + + +## Usage Example + +Server code: + +```javascript +const Http = require('http'); +const Hawk = require('hawk'); + + +// Credentials lookup function + +const credentialsFunc = function (id, callback) { + + const credentials = { + key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn', + algorithm: 'sha256', + user: 'Steve' + }; + + return callback(null, credentials); +}; + +// Create HTTP server + +const handler = function (req, res) { + + // Authenticate incoming request + + Hawk.server.authenticate(req, credentialsFunc, {}, (err, credentials, artifacts) => { + + // Prepare response + + const payload = (!err ? `Hello ${credentials.user} ${artifacts.ext}` : 'Shoosh!'); + const headers = { 'Content-Type': 'text/plain' }; + + // Generate Server-Authorization response header + + const header = Hawk.server.header(credentials, artifacts, { payload, contentType: headers['Content-Type'] }); + headers['Server-Authorization'] = header; + + // Send the response back + + res.writeHead(!err ? 200 : 401, headers); + res.end(payload); + }); +}; + +// Start server + +Http.createServer(handler).listen(8000, 'example.com'); +``` + +Client code: + +```javascript +const Request = require('request'); +const Hawk = require('hawk'); + + +// Client credentials + +const credentials = { + id: 'dh37fgj492je', + key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn', + algorithm: 'sha256' +} + +// Request options + +const requestOptions = { + uri: 'http://example.com:8000/resource/1?b=1&a=2', + method: 'GET', + headers: {} +}; + +// Generate Authorization request header + +const header = Hawk.client.header('http://example.com:8000/resource/1?b=1&a=2', 'GET', { credentials: credentials, ext: 'some-app-data' }); +requestOptions.headers.Authorization = header.field; + +// Send authenticated request + +Request(requestOptions, function (error, response, body) { + + // Authenticate the server's response + + const isValid = Hawk.client.authenticate(response, credentials, header.artifacts, { payload: body }); + + // Output results + + console.log(`${response.statusCode}: ${body}` + (isValid ? ' (valid)' : ' (invalid)')); +}); +``` + +**Hawk** utilized the [**SNTP**](https://github.com/hueniverse/sntp) module for time sync management. By default, the local +machine time is used. To automatically retrieve and synchronize the clock within the application, use the SNTP 'start()' method. + +```javascript +Hawk.sntp.start(); +``` + + +## Protocol Example + +The client attempts to access a protected resource without authentication, sending the following HTTP request to +the resource server: + +``` +GET /resource/1?b=1&a=2 HTTP/1.1 +Host: example.com:8000 +``` + +The resource server returns an authentication challenge. + +``` +HTTP/1.1 401 Unauthorized +WWW-Authenticate: Hawk +``` + +The client has previously obtained a set of **Hawk** credentials for accessing resources on the "`http://example.com/`" +server. The **Hawk** credentials issued to the client include the following attributes: + +* Key identifier: `dh37fgj492je` +* Key: `werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn` +* Algorithm: `hmac sha256` +* Hash: `6R4rV5iE+NPoym+WwjeHzjAGXUtLNIxmo1vpMofpLAE=` + +The client generates the authentication header by calculating a timestamp (e.g. the number of seconds since January 1, +1970 00:00:00 GMT), generating a nonce, and constructing the normalized request string (each value followed by a newline +character): + +``` +hawk.1.header +1353832234 +j4h3g2 +GET +/resource/1?b=1&a=2 +example.com +8000 + +some-app-ext-data + +``` + +The request MAC is calculated using HMAC with the specified hash algorithm "`sha256`" and the key over the normalized request string. +The result is base64-encoded to produce the request MAC: + +``` +6R4rV5iE+NPoym+WwjeHzjAGXUtLNIxmo1vpMofpLAE= +``` + +The client includes the **Hawk** key identifier, timestamp, nonce, application specific data, and request MAC with the request using +the HTTP `Authorization` request header field: + +``` +GET /resource/1?b=1&a=2 HTTP/1.1 +Host: example.com:8000 +Authorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", ext="some-app-ext-data", mac="6R4rV5iE+NPoym+WwjeHzjAGXUtLNIxmo1vpMofpLAE=" +``` + +The server validates the request by calculating the request MAC again based on the request received and verifies the validity +and scope of the **Hawk** credentials. If valid, the server responds with the requested resource. + + +### Payload Validation + +**Hawk** provides optional payload validation. When generating the authentication header, the client calculates a payload hash +using the specified hash algorithm. The hash is calculated over the concatenated value of (each followed by a newline character): +* `hawk.1.payload` +* the content-type in lowercase, without any parameters (e.g. `application/json`) +* the request payload prior to any content encoding (the exact representation requirements should be specified by the server for payloads other than simple single-part ascii to ensure interoperability) + +For example: + +* Payload: `Thank you for flying Hawk` +* Content Type: `text/plain` +* Algorithm: `sha256` +* Hash: `Yi9LfIIFRtBEPt74PVmbTF/xVAwPn7ub15ePICfgnuY=` + +Results in the following input to the payload hash function (newline terminated values): + +``` +hawk.1.payload +text/plain +Thank you for flying Hawk + +``` + +Which produces the following hash value: + +``` +Yi9LfIIFRtBEPt74PVmbTF/xVAwPn7ub15ePICfgnuY= +``` + +The client constructs the normalized request string (newline terminated values): + +``` +hawk.1.header +1353832234 +j4h3g2 +POST +/resource/1?a=1&b=2 +example.com +8000 +Yi9LfIIFRtBEPt74PVmbTF/xVAwPn7ub15ePICfgnuY= +some-app-ext-data + +``` + +Then calculates the request MAC and includes the **Hawk** key identifier, timestamp, nonce, payload hash, application specific data, +and request MAC, with the request using the HTTP `Authorization` request header field: + +``` +POST /resource/1?a=1&b=2 HTTP/1.1 +Host: example.com:8000 +Authorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", hash="Yi9LfIIFRtBEPt74PVmbTF/xVAwPn7ub15ePICfgnuY=", ext="some-app-ext-data", mac="aSe1DERmZuRl3pI36/9BdZmnErTw3sNzOOAUlfeKjVw=" +``` + +It is up to the server if and when it validates the payload for any given request, based solely on its security policy +and the nature of the data included. + +If the payload is available at the time of authentication, the server uses the hash value provided by the client to construct +the normalized string and validates the MAC. If the MAC is valid, the server calculates the payload hash and compares the value +with the provided payload hash in the header. In many cases, checking the MAC first is faster than calculating the payload hash. + +However, if the payload is not available at authentication time (e.g. too large to fit in memory, streamed elsewhere, or processed +at a different stage in the application), the server may choose to defer payload validation for later by retaining the hash value +provided by the client after validating the MAC. + +It is important to note that MAC validation does not mean the hash value provided by the client is valid, only that the value +included in the header was not modified. Without calculating the payload hash on the server and comparing it to the value provided +by the client, the payload may be modified by an attacker. + + +## Response Payload Validation + +**Hawk** provides partial response payload validation. The server includes the `Server-Authorization` response header which enables the +client to authenticate the response and ensure it is talking to the right server. **Hawk** defines the HTTP `Server-Authorization` header +as a response header using the exact same syntax as the `Authorization` request header field. + +The header is constructed using the same process as the client's request header. The server uses the same credentials and other +artifacts provided by the client to constructs the normalized request string. The `ext` and `hash` values are replaced with +new values based on the server response. The rest as identical to those used by the client. + +The result MAC digest is included with the optional `hash` and `ext` values: + +``` +Server-Authorization: Hawk mac="XIJRsMl/4oL+nn+vKoeVZPdCHXB4yJkNnBbTbHFZUYE=", hash="f9cDF/TDm7TkYRLnGwRMfeDzT6LixQVLvrIKhh0vgmM=", ext="response-specific" +``` + + +## Browser Support and Considerations + +A browser script is provided for including using a `<script>` tag in [lib/browser.js](/lib/browser.js). It's also a [component](http://component.io/hueniverse/hawk). + +**Hawk** relies on the _Server-Authorization_ and _WWW-Authenticate_ headers in its response to communicate with the client. +Therefore, in case of CORS requests, it is important to consider sending _Access-Control-Expose-Headers_ with the value +_"WWW-Authenticate, Server-Authorization"_ on each response from your server. As explained in the +[specifications](http://www.w3.org/TR/cors/#access-control-expose-headers-response-header), it will indicate that these headers +can safely be accessed by the client (using getResponseHeader() on the XmlHttpRequest object). Otherwise you will be met with a +["simple response header"](http://www.w3.org/TR/cors/#simple-response-header) which excludes these fields and would prevent the +Hawk client from authenticating the requests.You can read more about the why and how in this +[article](http://www.html5rocks.com/en/tutorials/cors/#toc-adding-cors-support-to-the-server) + + +# Single URI Authorization + +There are cases in which limited and short-term access to a protected resource is granted to a third party which does not +have access to the shared credentials. For example, displaying a protected image on a web page accessed by anyone. **Hawk** +provides limited support for such URIs in the form of a _bewit_ - a URI query parameter appended to the request URI which contains +the necessary credentials to authenticate the request. + +Because of the significant security risks involved in issuing such access, bewit usage is purposely limited only to GET requests +and for a finite period of time. Both the client and server can issue bewit credentials, however, the server should not use the same +credentials as the client to maintain clear traceability as to who issued which credentials. + +In order to simplify implementation, bewit credentials do not support single-use policy and can be replayed multiple times within +the granted access timeframe. + + +## Bewit Usage Example + +Server code: + +```javascript +const Http = require('http'); +const Hawk = require('hawk'); + + +// Credentials lookup function + +const credentialsFunc = function (id, callback) { + + const credentials = { + key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn', + algorithm: 'sha256' + }; + + return callback(null, credentials); +}; + +// Create HTTP server + +const handler = function (req, res) { + + Hawk.uri.authenticate(req, credentialsFunc, {}, (err, credentials, attributes) => { + + res.writeHead(!err ? 200 : 401, { 'Content-Type': 'text/plain' }); + res.end(!err ? 'Access granted' : 'Shoosh!'); + }); +}; + +Http.createServer(handler).listen(8000, 'example.com'); +``` + +Bewit code generation: + +```javascript +const Request = require('request'); +const Hawk = require('hawk'); + + +// Client credentials + +const credentials = { + id: 'dh37fgj492je', + key: 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn', + algorithm: 'sha256' +} + +// Generate bewit + +const duration = 60 * 5; // 5 Minutes +const bewit = Hawk.uri.getBewit('http://example.com:8000/resource/1?b=1&a=2', { credentials: credentials, ttlSec: duration, ext: 'some-app-data' }); +const uri = 'http://example.com:8000/resource/1?b=1&a=2' + '&bewit=' + bewit; + +// Output URI + +console.log('URI: ' + uri); +``` + + +# Security Considerations + +The greatest sources of security risks are usually found not in **Hawk** but in the policies and procedures surrounding its use. +Implementers are strongly encouraged to assess how this module addresses their security requirements. This section includes +an incomplete list of security considerations that must be reviewed and understood before deploying **Hawk** on the server. +Many of the protections provided in **Hawk** depends on whether and how they are used. + +### MAC Keys Transmission + +**Hawk** does not provide any mechanism for obtaining or transmitting the set of shared credentials required. Any mechanism used +to obtain **Hawk** credentials must ensure that these transmissions are protected using transport-layer mechanisms such as TLS. + +### Confidentiality of Requests + +While **Hawk** provides a mechanism for verifying the integrity of HTTP requests, it provides no guarantee of request +confidentiality. Unless other precautions are taken, eavesdroppers will have full access to the request content. Servers should +carefully consider the types of data likely to be sent as part of such requests, and employ transport-layer security mechanisms +to protect sensitive resources. + +### Spoofing by Counterfeit Servers + +**Hawk** provides limited verification of the server authenticity. When receiving a response back from the server, the server +may choose to include a response `Server-Authorization` header which the client can use to verify the response. However, it is up to +the server to determine when such measure is included, to up to the client to enforce that policy. + +A hostile party could take advantage of this by intercepting the client's requests and returning misleading or otherwise +incorrect responses. Service providers should consider such attacks when developing services using this protocol, and should +require transport-layer security for any requests where the authenticity of the resource server or of server responses is an issue. + +### Plaintext Storage of Credentials + +The **Hawk** key functions the same way passwords do in traditional authentication systems. In order to compute the request MAC, +the server must have access to the key in plaintext form. This is in contrast, for example, to modern operating systems, which +store only a one-way hash of user credentials. + +If an attacker were to gain access to these keys - or worse, to the server's database of all such keys - he or she would be able +to perform any action on behalf of any resource owner. Accordingly, it is critical that servers protect these keys from unauthorized +access. + +### Entropy of Keys + +Unless a transport-layer security protocol is used, eavesdroppers will have full access to authenticated requests and request +MAC values, and will thus be able to mount offline brute-force attacks to recover the key used. Servers should be careful to +assign keys which are long enough, and random enough, to resist such attacks for at least the length of time that the **Hawk** +credentials are valid. + +For example, if the credentials are valid for two weeks, servers should ensure that it is not possible to mount a brute force +attack that recovers the key in less than two weeks. Of course, servers are urged to err on the side of caution, and use the +longest key reasonable. + +It is equally important that the pseudo-random number generator (PRNG) used to generate these keys be of sufficiently high +quality. Many PRNG implementations generate number sequences that may appear to be random, but which nevertheless exhibit +patterns or other weaknesses which make cryptanalysis or brute force attacks easier. Implementers should be careful to use +cryptographically secure PRNGs to avoid these problems. + +### Coverage Limitations + +The request MAC only covers the HTTP `Host` header and optionally the `Content-Type` header. It does not cover any other headers +which can often affect how the request body is interpreted by the server. If the server behavior is influenced by the presence +or value of such headers, an attacker can manipulate the request headers without being detected. Implementers should use the +`ext` feature to pass application-specific information via the `Authorization` header which is protected by the request MAC. + +The response authentication, when performed, only covers the response payload, content-type, and the request information +provided by the client in its request (method, resource, timestamp, nonce, etc.). It does not cover the HTTP status code or +any other response header field (e.g. `Location`) which can affect the client's behaviour. + +### Future Time Manipulation + +The protocol relies on a clock sync between the client and server. To accomplish this, the server informs the client of its +current time when an invalid timestamp is received. + +If an attacker is able to manipulate this information and cause the client to use an incorrect time, it would be able to cause +the client to generate authenticated requests using time in the future. Such requests will fail when sent by the client, and will +not likely leave a trace on the server (given the common implementation of nonce, if at all enforced). The attacker will then +be able to replay the request at the correct time without detection. + +The client must only use the time information provided by the server if: +* it was delivered over a TLS connection and the server identity has been verified, or +* the `tsm` MAC digest calculated using the same client credentials over the timestamp has been verified. + +### Client Clock Poisoning + +When receiving a request with a bad timestamp, the server provides the client with its current time. The client must never use +the time received from the server to adjust its own clock, and must only use it to calculate an offset for communicating with +that particular server. + +### Bewit Limitations + +Special care must be taken when issuing bewit credentials to third parties. Bewit credentials are valid until expiration and cannot +be revoked or limited without using other means. Whatever resource they grant access to will be completely exposed to anyone with +access to the bewit credentials which act as bearer credentials for that particular resource. While bewit usage is limited to GET +requests only and therefore cannot be used to perform transactions or change server state, it can still be used to expose private +and sensitive information. + +### Host Header Forgery + +Hawk validates the incoming request MAC against the incoming HTTP Host header. However, unless the optional `host` and `port` +options are used with `server.authenticate()`, a malicious client can mint new host names pointing to the server's IP address and +use that to craft an attack by sending a valid request that's meant for another hostname than the one used by the server. Server +implementors must manually verify that the host header received matches their expectation (or use the options mentioned above). + +# Frequently Asked Questions + +### Where is the protocol specification? + +If you are looking for some prose explaining how all this works, **this is it**. **Hawk** is being developed as an open source +project instead of a standard. In other words, the [code](/hueniverse/hawk/tree/master/lib) is the specification. Not sure about +something? Open an issue! + +### Is it done? + +As of version 0.10.0, **Hawk** is feature-complete. However, until this module reaches version 1.0.0 it is considered experimental +and is likely to change. This also means your feedback and contribution are very welcome. Feel free to open issues with questions +and suggestions. + +### Where can I find **Hawk** implementations in other languages? + +**Hawk**'s only reference implementation is provided in JavaScript as a node.js module. However, it has been ported to other languages. +The full list is maintained [here](https://github.com/hueniverse/hawk/issues?labels=port&state=closed). Please add an issue if you are +working on another port. A cross-platform test-suite is in the works. + +### Why isn't the algorithm part of the challenge or dynamically negotiated? + +The algorithm used is closely related to the key issued as different algorithms require different key sizes (and other +requirements). While some keys can be used for multiple algorithm, the protocol is designed to closely bind the key and algorithm +together as part of the issued credentials. + +### Why is Host and Content-Type the only headers covered by the request MAC? + +It is really hard to include other headers. Headers can be changed by proxies and other intermediaries and there is no +well-established way to normalize them. Many platforms change the case of header field names and values. The only +straight-forward solution is to include the headers in some blob (say, base64 encoded JSON) and include that with the request, +an approach taken by JWT and other such formats. However, that design violates the HTTP header boundaries, repeats information, +and introduces other security issues because firewalls will not be aware of these "hidden" headers. In addition, any information +repeated must be compared to the duplicated information in the header and therefore only moves the problem elsewhere. + +### Why not just use HTTP Digest? + +Digest requires pre-negotiation to establish a nonce. This means you can't just make a request - you must first send +a protocol handshake to the server. This pattern has become unacceptable for most web services, especially mobile +where extra round-trip are costly. + +### Why bother with all this nonce and timestamp business? + +**Hawk** is an attempt to find a reasonable, practical compromise between security and usability. OAuth 1.0 got timestamp +and nonces halfway right but failed when it came to scalability and consistent developer experience. **Hawk** addresses +it by requiring the client to sync its clock, but provides it with tools to accomplish it. + +In general, replay protection is a matter of application-specific threat model. It is less of an issue on a TLS-protected +system where the clients are implemented using best practices and are under the control of the server. Instead of dropping +replay protection, **Hawk** offers a required time window and an optional nonce verification. Together, it provides developers +with the ability to decide how to enforce their security policy without impacting the client's implementation. + +### What are `app` and `dlg` in the authorization header and normalized mac string? + +The original motivation for **Hawk** was to replace the OAuth 1.0 use cases. This included both a simple client-server mode which +this module is specifically designed for, and a delegated access mode which is being developed separately in +[Oz](https://github.com/hueniverse/oz). In addition to the **Hawk** use cases, Oz requires another attribute: the application id `app`. +This provides binding between the credentials and the application in a way that prevents an attacker from tricking an application +to use credentials issued to someone else. It also has an optional 'delegated-by' attribute `dlg` which is the application id of the +application the credentials were directly issued to. The goal of these two additions is to allow Oz to utilize **Hawk** directly, +but with the additional security of delegated credentials. + +### What is the purpose of the static strings used in each normalized MAC input? + +When calculating a hash or MAC, a static prefix (tag) is added. The prefix is used to prevent MAC values from being +used or reused for a purpose other than what they were created for (i.e. prevents switching MAC values between a request, +response, and a bewit use cases). It also protects against exploits created after a potential change in how the protocol +creates the normalized string. For example, if a future version would switch the order of nonce and timestamp, it +can create an exploit opportunity for cases where the nonce is similar in format to a timestamp. + +### Does **Hawk** have anything to do with OAuth? + +Short answer: no. + +**Hawk** was originally proposed as the OAuth MAC Token specification. However, the OAuth working group in its consistent +incompetence failed to produce a final, usable solution to address one of the most popular use cases of OAuth 1.0 - using it +to authenticate simple client-server transactions (i.e. two-legged). As you can guess, the OAuth working group is still hard +at work to produce more garbage. + +**Hawk** provides a simple HTTP authentication scheme for making client-server requests. It does not address the OAuth use case +of delegating access to a third party. If you are looking for an OAuth alternative, check out [Oz](https://github.com/hueniverse/oz). + +# Implementations + +- [Logibit Hawk in F#/.Net](https://github.com/logibit/logibit.hawk/) +- [Tent Hawk in Ruby](https://github.com/tent/hawk-ruby) +- [Wealdtech in Java](https://github.com/wealdtech/hawk) +- [Kumar's Mohawk in Python](https://github.com/kumar303/mohawk/) +- [Hiyosi in Go](https://github.com/hiyosi/hawk) + +# Acknowledgements + +**Hawk** is a derivative work of the [HTTP MAC Authentication Scheme](http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-05) proposal +co-authored by Ben Adida, Adam Barth, and Eran Hammer, which in turn was based on the OAuth 1.0 community specification. + +Special thanks to Ben Laurie for his always insightful feedback and advice. + +The **Hawk** logo was created by [Chris Carrasco](http://chriscarrasco.com). diff --git a/node_modules/hawk/client.js b/node_modules/hawk/client.js new file mode 100755 index 0000000..c7ff470 --- /dev/null +++ b/node_modules/hawk/client.js @@ -0,0 +1,3 @@ +'use strict'; + +module.exports = require('./dist/browser'); diff --git a/node_modules/hawk/dist/browser.js b/node_modules/hawk/dist/browser.js new file mode 100644 index 0000000..4bb9b95 --- /dev/null +++ b/node_modules/hawk/dist/browser.js @@ -0,0 +1,793 @@ +'use strict'; + +/* + HTTP Hawk Authentication Scheme + Copyright (c) 2012-2016, Eran Hammer <[email protected]> + BSD Licensed +*/ + +// Declare namespace + +var _typeof = typeof Symbol === "function" && typeof Symbol.iterator === "symbol" ? function (obj) { return typeof obj; } : function (obj) { return obj && typeof Symbol === "function" && obj.constructor === Symbol && obj !== Symbol.prototype ? "symbol" : typeof obj; }; + +var hawk = { + internals: {} +}; + +hawk.client = { + + // Generate an Authorization header for a given request + + /* + uri: 'http://example.com/resource?a=b' or object generated by hawk.utils.parseUri() + method: HTTP verb (e.g. 'GET', 'POST') + options: { + // Required + credentials: { + id: 'dh37fgj492je', + key: 'aoijedoaijsdlaksjdl', + algorithm: 'sha256' // 'sha1', 'sha256' + }, + // Optional + ext: 'application-specific', // Application specific data sent via the ext attribute + timestamp: Date.now() / 1000, // A pre-calculated timestamp in seconds + nonce: '2334f34f', // A pre-generated nonce + localtimeOffsetMsec: 400, // Time offset to sync with server time (ignored if timestamp provided) + payload: '{"some":"payload"}', // UTF-8 encoded string for body hash generation (ignored if hash provided) + contentType: 'application/json', // Payload content-type (ignored if hash provided) + hash: 'U4MKKSmiVxk37JCCrAVIjV=', // Pre-calculated payload hash + app: '24s23423f34dx', // Oz application id + dlg: '234sz34tww3sd' // Oz delegated-by application id + } + */ + + header: function header(uri, method, options) { + + var result = { + field: '', + artifacts: {} + }; + + // Validate inputs + + if (!uri || typeof uri !== 'string' && (typeof uri === 'undefined' ? 'undefined' : _typeof(uri)) !== 'object' || !method || typeof method !== 'string' || !options || (typeof options === 'undefined' ? 'undefined' : _typeof(options)) !== 'object') { + + result.err = 'Invalid argument type'; + return result; + } + + // Application time + + var timestamp = options.timestamp || hawk.utils.nowSec(options.localtimeOffsetMsec); + + // Validate credentials + + var credentials = options.credentials; + if (!credentials || !credentials.id || !credentials.key || !credentials.algorithm) { + + result.err = 'Invalid credentials object'; + return result; + } + + if (hawk.crypto.algorithms.indexOf(credentials.algorithm) === -1) { + result.err = 'Unknown algorithm'; + return result; + } + + // Parse URI + + if (typeof uri === 'string') { + uri = hawk.utils.parseUri(uri); + } + + // Calculate signature + + var artifacts = { + ts: timestamp, + nonce: options.nonce || hawk.utils.randomString(6), + method: method, + resource: uri.resource, + host: uri.host, + port: uri.port, + hash: options.hash, + ext: options.ext, + app: options.app, + dlg: options.dlg + }; + + result.artifacts = artifacts; + + // Calculate payload hash + + if (!artifacts.hash && (options.payload || options.payload === '')) { + + artifacts.hash = hawk.crypto.calculatePayloadHash(options.payload, credentials.algorithm, options.contentType); + } + + var mac = hawk.crypto.calculateMac('header', credentials, artifacts); + + // Construct header + + var hasExt = artifacts.ext !== null && artifacts.ext !== undefined && artifacts.ext !== ''; // Other falsey values allowed + var header = 'Hawk id="' + credentials.id + '", ts="' + artifacts.ts + '", nonce="' + artifacts.nonce + (artifacts.hash ? '", hash="' + artifacts.hash : '') + (hasExt ? '", ext="' + hawk.utils.escapeHeaderAttribute(artifacts.ext) : '') + '", mac="' + mac + '"'; + + if (artifacts.app) { + header += ', app="' + artifacts.app + (artifacts.dlg ? '", dlg="' + artifacts.dlg : '') + '"'; + } + + result.field = header; + + return result; + }, + + // Generate a bewit value for a given URI + + /* + uri: 'http://example.com/resource?a=b' + options: { + // Required + credentials: { + id: 'dh37fgj492je', + key: 'aoijedoaijsdlaksjdl', + algorithm: 'sha256' // 'sha1', 'sha256' + }, + ttlSec: 60 * 60, // TTL in seconds + // Optional + ext: 'application-specific', // Application specific data sent via the ext attribute + localtimeOffsetMsec: 400 // Time offset to sync with server time + }; + */ + + bewit: function bewit(uri, options) { + + // Validate inputs + + if (!uri || typeof uri !== 'string' || !options || (typeof options === 'undefined' ? 'undefined' : _typeof(options)) !== 'object' || !options.ttlSec) { + + return ''; + } + + options.ext = options.ext === null || options.ext === undefined ? '' : options.ext; // Zero is valid value + + // Application time + + var now = hawk.utils.nowSec(options.localtimeOffsetMsec); + + // Validate credentials + + var credentials = options.credentials; + if (!credentials || !credentials.id || !credentials.key || !credentials.algorithm) { + + return ''; + } + + if (hawk.crypto.algorithms.indexOf(credentials.algorithm) === -1) { + return ''; + } + + // Parse URI + + uri = hawk.utils.parseUri(uri); + + // Calculate signature + + var exp = now + options.ttlSec; + var mac = hawk.crypto.calculateMac('bewit', credentials, { + ts: exp, + nonce: '', + method: 'GET', + resource: uri.resource, // Maintain trailing '?' and query params + host: uri.host, + port: uri.port, + ext: options.ext + }); + + // Construct bewit: id\exp\mac\ext + + var bewit = credentials.id + '\\' + exp + '\\' + mac + '\\' + options.ext; + return hawk.utils.base64urlEncode(bewit); + }, + + // Validate server response + + /* + request: object created via 'new XMLHttpRequest()' after response received or fetch API 'Response' + artifacts: object received from header().artifacts + options: { + payload: optional payload received + required: specifies if a Server-Authorization header is required. Defaults to 'false' + } + */ + + authenticate: function authenticate(request, credentials, artifacts, options) { + + options = options || {}; + + var getHeader = function getHeader(name) { + + // Fetch API or plain headers + + if (request.headers) { + return typeof request.headers.get === 'function' ? request.headers.get(name) : request.headers[name]; + } + + // XMLHttpRequest + + return request.getResponseHeader ? request.getResponseHeader(name) : request.getHeader(name); + }; + + var wwwAuthenticate = getHeader('www-authenticate'); + if (wwwAuthenticate) { + + // Parse HTTP WWW-Authenticate header + + var wwwAttributes = hawk.utils.parseAuthorizationHeader(wwwAuthenticate, ['ts', 'tsm', 'error']); + if (!wwwAttributes) { + return false; + } + + if (wwwAttributes.ts) { + var tsm = hawk.crypto.calculateTsMac(wwwAttributes.ts, credentials); + if (tsm !== wwwAttributes.tsm) { + return false; + } + + hawk.utils.setNtpSecOffset(wwwAttributes.ts - Math.floor(Date.now() / 1000)); // Keep offset at 1 second precision + } + } + + // Parse HTTP Server-Authorization header + + var serverAuthorization = getHeader('server-authorization'); + if (!serverAuthorization && !options.required) { + + return true; + } + + var attributes = hawk.utils.parseAuthorizationHeader(serverAuthorization, ['mac', 'ext', 'hash']); + if (!attributes) { + return false; + } + + var modArtifacts = { + ts: artifacts.ts, + nonce: artifacts.nonce, + method: artifacts.method, + resource: artifacts.resource, + host: artifacts.host, + port: artifacts.port, + hash: attributes.hash, + ext: attributes.ext, + app: artifacts.app, + dlg: artifacts.dlg + }; + + var mac = hawk.crypto.calculateMac('response', credentials, modArtifacts); + if (mac !== attributes.mac) { + return false; + } + + if (!options.payload && options.payload !== '') { + + return true; + } + + if (!attributes.hash) { + return false; + } + + var calculatedHash = hawk.crypto.calculatePayloadHash(options.payload, credentials.algorithm, getHeader('content-type')); + return calculatedHash === attributes.hash; + }, + + message: function message(host, port, _message, options) { + + // Validate inputs + + if (!host || typeof host !== 'string' || !port || typeof port !== 'number' || _message === null || _message === undefined || typeof _message !== 'string' || !options || (typeof options === 'undefined' ? 'undefined' : _typeof(options)) !== 'object') { + + return null; + } + + // Application time + + var timestamp = options.timestamp || hawk.utils.nowSec(options.localtimeOffsetMsec); + + // Validate credentials + + var credentials = options.credentials; + if (!credentials || !credentials.id || !credentials.key || !credentials.algorithm) { + + // Invalid credential object + return null; + } + + if (hawk.crypto.algorithms.indexOf(credentials.algorithm) === -1) { + return null; + } + + // Calculate signature + + var artifacts = { + ts: timestamp, + nonce: options.nonce || hawk.utils.randomString(6), + host: host, + port: port, + hash: hawk.crypto.calculatePayloadHash(_message, credentials.algorithm) + }; + + // Construct authorization + + var result = { + id: credentials.id, + ts: artifacts.ts, + nonce: artifacts.nonce, + hash: artifacts.hash, + mac: hawk.crypto.calculateMac('message', credentials, artifacts) + }; + + return result; + }, + + authenticateTimestamp: function authenticateTimestamp(message, credentials, updateClock) { + // updateClock defaults to true + + var tsm = hawk.crypto.calculateTsMac(message.ts, credentials); + if (tsm !== message.tsm) { + return false; + } + + if (updateClock !== false) { + hawk.utils.setNtpSecOffset(message.ts - Math.floor(Date.now() / 1000)); // Keep offset at 1 second precision + } + + return true; + } +}; + +hawk.crypto = { + + headerVersion: '1', + + algorithms: ['sha1', 'sha256'], + + calculateMac: function calculateMac(type, credentials, options) { + + var normalized = hawk.crypto.generateNormalizedString(type, options); + + var hmac = CryptoJS['Hmac' + credentials.algorithm.toUpperCase()](normalized, credentials.key); + return hmac.toString(CryptoJS.enc.Base64); + }, + + generateNormalizedString: function generateNormalizedString(type, options) { + + var normalized = 'hawk.' + hawk.crypto.headerVersion + '.' + type + '\n' + options.ts + '\n' + options.nonce + '\n' + (options.method || '').toUpperCase() + '\n' + (options.resource || '') + '\n' + options.host.toLowerCase() + '\n' + options.port + '\n' + (options.hash || '') + '\n'; + + if (options.ext) { + normalized += options.ext.replace('\\', '\\\\').replace('\n', '\\n'); + } + + normalized += '\n'; + + if (options.app) { + normalized += options.app + '\n' + (options.dlg || '') + '\n'; + } + + return normalized; + }, + + calculatePayloadHash: function calculatePayloadHash(payload, algorithm, contentType) { + + var hash = CryptoJS.algo[algorithm.toUpperCase()].create(); + hash.update('hawk.' + hawk.crypto.headerVersion + '.payload\n'); + hash.update(hawk.utils.parseContentType(contentType) + '\n'); + hash.update(payload); + hash.update('\n'); + return hash.finalize().toString(CryptoJS.enc.Base64); + }, + + calculateTsMac: function calculateTsMac(ts, credentials) { + + var hash = CryptoJS['Hmac' + credentials.algorithm.toUpperCase()]('hawk.' + hawk.crypto.headerVersion + '.ts\n' + ts + '\n', credentials.key); + return hash.toString(CryptoJS.enc.Base64); + } +}; + +// localStorage compatible interface + +hawk.internals.LocalStorage = function () { + + this._cache = {}; + this.length = 0; + + this.getItem = function (key) { + + return this._cache.hasOwnProperty(key) ? String(this._cache[key]) : null; + }; + + this.setItem = function (key, value) { + + this._cache[key] = String(value); + this.length = Object.keys(this._cache).length; + }; + + this.removeItem = function (key) { + + delete this._cache[key]; + this.length = Object.keys(this._cache).length; + }; + + this.clear = function () { + + this._cache = {}; + this.length = 0; + }; + + this.key = function (i) { + + return Object.keys(this._cache)[i || 0]; + }; +}; + +hawk.utils = { + + storage: new hawk.internals.LocalStorage(), + + setStorage: function setStorage(storage) { + + var ntpOffset = hawk.utils.storage.getItem('hawk_ntp_offset'); + hawk.utils.storage = storage; + if (ntpOffset) { + hawk.utils.setNtpSecOffset(ntpOffset); + } + }, + + setNtpSecOffset: function setNtpSecOffset(offset) { + + try { + hawk.utils.storage.setItem('hawk_ntp_offset', offset); + } catch (err) { + console.error('[hawk] could not write to storage.'); + console.error(err); + } + }, + + getNtpSecOffset: function getNtpSecOffset() { + + var offset = hawk.utils.storage.getItem('hawk_ntp_offset'); + if (!offset) { + return 0; + } + + return parseInt(offset, 10); + }, + + now: function now(localtimeOffsetMsec) { + + return Date.now() + (localtimeOffsetMsec || 0) + hawk.utils.getNtpSecOffset() * 1000; + }, + + nowSec: function nowSec(localtimeOffsetMsec) { + + return Math.floor(hawk.utils.now(localtimeOffsetMsec) / 1000); + }, + + escapeHeaderAttribute: function escapeHeaderAttribute(attribute) { + + return attribute.replace(/\\/g, '\\\\').replace(/\"/g, '\\"'); + }, + + parseContentType: function parseContentType(header) { + + if (!header) { + return ''; + } + + return header.split(';')[0].replace(/^\s+|\s+$/g, '').toLowerCase(); + }, + + parseAuthorizationHeader: function parseAuthorizationHeader(header, keys) { + + if (!header) { + return null; + } + + var headerParts = header.match(/^(\w+)(?:\s+(.*))?$/); // Header: scheme[ something] + if (!headerParts) { + return null; + } + + var scheme = headerParts[1]; + if (scheme.toLowerCase() !== 'hawk') { + return null; + } + + var attributesString = headerParts[2]; + if (!attributesString) { + return null; + } + + var attributes = {}; + var verify = attributesString.replace(/(\w+)="([^"\\]*)"\s*(?:,\s*|$)/g, function ($0, $1, $2) { + + // Check valid attribute names + + if (keys.indexOf($1) === -1) { + return; + } + + // Allowed attribute value characters: !#$%&'()*+,-./:;<=>?@[]^_`{|}~ and space, a-z, A-Z, 0-9 + + if ($2.match(/^[ \w\!#\$%&'\(\)\*\+,\-\.\/\:;<\=>\?@\[\]\^`\{\|\}~]+$/) === null) { + return; + } + + // Check for duplicates + + if (attributes.hasOwnProperty($1)) { + return; + } + + attributes[$1] = $2; + return ''; + }); + + if (verify !== '') { + return null; + } + + return attributes; + }, + + randomString: function randomString(size) { + + var randomSource = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; + var len = randomSource.length; + + var result = []; + for (var i = 0; i < size; ++i) { + result[i] = randomSource[Math.floor(Math.random() * len)]; + } + + return result.join(''); + }, + + // 1 2 3 4 + uriRegex: /^([^:]+)\:\/\/(?:[^@/]*@)?([^\/:]+)(?:\:(\d+))?([^#]*)(?:#.*)?$/, // scheme://credentials@host:port/resource#fragment + parseUri: function parseUri(input) { + + var parts = input.match(hawk.utils.uriRegex); + if (!parts) { + return { host: '', port: '', resource: '' }; + } + + var scheme = parts[1].toLowerCase(); + var uri = { + host: parts[2], + port: parts[3] || (scheme === 'http' ? '80' : scheme === 'https' ? '443' : ''), + resource: parts[4] + }; + + return uri; + }, + + base64urlEncode: function base64urlEncode(value) { + + var wordArray = CryptoJS.enc.Utf8.parse(value); + var encoded = CryptoJS.enc.Base64.stringify(wordArray); + return encoded.replace(/\+/g, '-').replace(/\//g, '_').replace(/\=/g, ''); + } +}; + +// $lab:coverage:off$ +/* eslint-disable */ + +// Based on: Crypto-JS v3.1.2 +// Copyright (c) 2009-2013, Jeff Mott. All rights reserved. +// http://code.google.com/p/crypto-js/ +// http://code.google.com/p/crypto-js/wiki/License + +var CryptoJS = CryptoJS || function (h, r) { + var k = {}, + l = k.lib = {}, + n = function n() {}, + f = l.Base = { extend: function extend(a) { + n.prototype = this;var b = new n();a && b.mixIn(a);b.hasOwnProperty("init") || (b.init = function () { + b.$super.init.apply(this, arguments); + });b.init.prototype = b;b.$super = this;return b; + }, create: function create() { + var a = this.extend();a.init.apply(a, arguments);return a; + }, init: function init() {}, mixIn: function mixIn(a) { + for (var _b in a) { + a.hasOwnProperty(_b) && (this[_b] = a[_b]); + }a.hasOwnProperty("toString") && (this.toString = a.toString); + }, clone: function clone() { + return this.init.prototype.extend(this); + } }, + j = l.WordArray = f.extend({ init: function init(a, b) { + a = this.words = a || [];this.sigBytes = b != r ? b : 4 * a.length; + }, toString: function toString(a) { + return (a || s).stringify(this); + }, concat: function concat(a) { + var b = this.words, + d = a.words, + c = this.sigBytes;a = a.sigBytes;this.clamp();if (c % 4) for (var e = 0; e < a; e++) { + b[c + e >>> 2] |= (d[e >>> 2] >>> 24 - 8 * (e % 4) & 255) << 24 - 8 * ((c + e) % 4); + } else if (65535 < d.length) for (var _e = 0; _e < a; _e += 4) { + b[c + _e >>> 2] = d[_e >>> 2]; + } else b.push.apply(b, d);this.sigBytes += a;return this; + }, clamp: function clamp() { + var a = this.words, + b = this.sigBytes;a[b >>> 2] &= 4294967295 << 32 - 8 * (b % 4);a.length = h.ceil(b / 4); + }, clone: function clone() { + var a = f.clone.call(this);a.words = this.words.slice(0);return a; + }, random: function random(a) { + for (var _b2 = [], d = 0; d < a; d += 4) { + _b2.push(4294967296 * h.random() | 0); + }return new j.init(b, a); + } }), + m = k.enc = {}, + s = m.Hex = { stringify: function stringify(a) { + var b = a.words;a = a.sigBytes;for (var d = [], c = 0; c < a; c++) { + var e = b[c >>> 2] >>> 24 - 8 * (c % 4) & 255;d.push((e >>> 4).toString(16));d.push((e & 15).toString(16)); + }return d.join(""); + }, parse: function parse(a) { + for (var b = a.length, d = [], c = 0; c < b; c += 2) { + d[c >>> 3] |= parseInt(a.substr(c, 2), 16) << 24 - 4 * (c % 8); + }return new j.init(d, b / 2); + } }, + p = m.Latin1 = { stringify: function stringify(a) { + var b = a.words;a = a.sigBytes;for (var d = [], c = 0; c < a; c++) { + d.push(String.fromCharCode(b[c >>> 2] >>> 24 - 8 * (c % 4) & 255)); + }return d.join(""); + }, parse: function parse(a) { + for (var b = a.length, d = [], c = 0; c < b; c++) { + d[c >>> 2] |= (a.charCodeAt(c) & 255) << 24 - 8 * (c % 4); + }return new j.init(d, b); + } }, + t = m.Utf8 = { stringify: function stringify(a) { + try { + return decodeURIComponent(escape(p.stringify(a))); + } catch (b) { + throw Error("Malformed UTF-8 data"); + } + }, parse: function parse(a) { + return p.parse(unescape(encodeURIComponent(a))); + } }, + q = l.BufferedBlockAlgorithm = f.extend({ reset: function reset() { + this._data = new j.init();this._nDataBytes = 0; + }, _append: function _append(a) { + "string" == typeof a && (a = t.parse(a));this._data.concat(a);this._nDataBytes += a.sigBytes; + }, _process: function _process(a) { + var b = this._data, + d = b.words, + c = b.sigBytes, + e = this.blockSize, + f = c / (4 * e), + f = a ? h.ceil(f) : h.max((f | 0) - this._minBufferSize, 0);a = f * e;c = h.min(4 * a, c);if (a) { + for (var g = 0; g < a; g += e) { + this._doProcessBlock(d, g); + }g = d.splice(0, a);b.sigBytes -= c; + }return new j.init(g, c); + }, clone: function clone() { + var a = f.clone.call(this);a._data = this._data.clone();return a; + }, _minBufferSize: 0 });l.Hasher = q.extend({ cfg: f.extend(), init: function init(a) { + this.cfg = this.cfg.extend(a);this.reset(); + }, reset: function reset() { + q.reset.call(this);this._doReset(); + }, update: function update(a) { + this._append(a);this._process();return this; + }, finalize: function finalize(a) { + a && this._append(a);return this._doFinalize(); + }, blockSize: 16, _createHelper: function _createHelper(a) { + return function (b, d) { + return new a.init(d).finalize(b); + }; + }, _createHmacHelper: function _createHmacHelper(a) { + return function (b, d) { + return new u.HMAC.init(a, d).finalize(b); + }; + } });var u = k.algo = {};return k; +}(Math); +(function () { + var k = CryptoJS, + b = k.lib, + m = b.WordArray, + l = b.Hasher, + d = [], + b = k.algo.SHA1 = l.extend({ _doReset: function _doReset() { + this._hash = new m.init([1732584193, 4023233417, 2562383102, 271733878, 3285377520]); + }, _doProcessBlock: function _doProcessBlock(n, p) { + for (var a = this._hash.words, e = a[0], f = a[1], h = a[2], j = a[3], b = a[4], c = 0; 80 > c; c++) { + if (16 > c) d[c] = n[p + c] | 0;else { + var g = d[c - 3] ^ d[c - 8] ^ d[c - 14] ^ d[c - 16];d[c] = g << 1 | g >>> 31; + }g = (e << 5 | e >>> 27) + b + d[c];g = 20 > c ? g + ((f & h | ~f & j) + 1518500249) : 40 > c ? g + ((f ^ h ^ j) + 1859775393) : 60 > c ? g + ((f & h | f & j | h & j) - 1894007588) : g + ((f ^ h ^ j) - 899497514);b = j;j = h;h = f << 30 | f >>> 2;f = e;e = g; + }a[0] = a[0] + e | 0;a[1] = a[1] + f | 0;a[2] = a[2] + h | 0;a[3] = a[3] + j | 0;a[4] = a[4] + b | 0; + }, _doFinalize: function _doFinalize() { + var b = this._data, + d = b.words, + a = 8 * this._nDataBytes, + e = 8 * b.sigBytes;d[e >>> 5] |= 128 << 24 - e % 32;d[(e + 64 >>> 9 << 4) + 14] = Math.floor(a / 4294967296);d[(e + 64 >>> 9 << 4) + 15] = a;b.sigBytes = 4 * d.length;this._process();return this._hash; + }, clone: function clone() { + var b = l.clone.call(this);b._hash = this._hash.clone();return b; + } });k.SHA1 = l._createHelper(b);k.HmacSHA1 = l._createHmacHelper(b); +})(); +(function (k) { + for (var g = CryptoJS, h = g.lib, v = h.WordArray, j = h.Hasher, h = g.algo, s = [], t = [], u = function u(q) { + return 4294967296 * (q - (q | 0)) | 0; + }, l = 2, b = 0; 64 > b;) { + var d;a: { + d = l;for (var w = k.sqrt(d), r = 2; r <= w; r++) { + if (!(d % r)) { + d = !1;break a; + } + }d = !0; + }d && (8 > b && (s[b] = u(k.pow(l, 0.5))), t[b] = u(k.pow(l, 1 / 3)), b++);l++; + }var n = [], + h = h.SHA256 = j.extend({ _doReset: function _doReset() { + this._hash = new v.init(s.slice(0)); + }, _doProcessBlock: function _doProcessBlock(q, h) { + for (var a = this._hash.words, c = a[0], d = a[1], b = a[2], k = a[3], f = a[4], g = a[5], j = a[6], l = a[7], e = 0; 64 > e; e++) { + if (16 > e) n[e] = q[h + e] | 0;else { + var m = n[e - 15], + p = n[e - 2];n[e] = ((m << 25 | m >>> 7) ^ (m << 14 | m >>> 18) ^ m >>> 3) + n[e - 7] + ((p << 15 | p >>> 17) ^ (p << 13 | p >>> 19) ^ p >>> 10) + n[e - 16]; + }m = l + ((f << 26 | f >>> 6) ^ (f << 21 | f >>> 11) ^ (f << 7 | f >>> 25)) + (f & g ^ ~f & j) + t[e] + n[e];p = ((c << 30 | c >>> 2) ^ (c << 19 | c >>> 13) ^ (c << 10 | c >>> 22)) + (c & d ^ c & b ^ d & b);l = j;j = g;g = f;f = k + m | 0;k = b;b = d;d = c;c = m + p | 0; + }a[0] = a[0] + c | 0;a[1] = a[1] + d | 0;a[2] = a[2] + b | 0;a[3] = a[3] + k | 0;a[4] = a[4] + f | 0;a[5] = a[5] + g | 0;a[6] = a[6] + j | 0;a[7] = a[7] + l | 0; + }, _doFinalize: function _doFinalize() { + var d = this._data, + b = d.words, + a = 8 * this._nDataBytes, + c = 8 * d.sigBytes;b[c >>> 5] |= 128 << 24 - c % 32;b[(c + 64 >>> 9 << 4) + 14] = k.floor(a / 4294967296);b[(c + 64 >>> 9 << 4) + 15] = a;d.sigBytes = 4 * b.length;this._process();return this._hash; + }, clone: function clone() { + var b = j.clone.call(this);b._hash = this._hash.clone();return b; + } });g.SHA256 = j._createHelper(h);g.HmacSHA256 = j._createHmacHelper(h); +})(Math); +(function () { + var c = CryptoJS, + k = c.enc.Utf8;c.algo.HMAC = c.lib.Base.extend({ init: function init(a, b) { + a = this._hasher = new a.init();"string" == typeof b && (b = k.parse(b));var c = a.blockSize, + e = 4 * c;b.sigBytes > e && (b = a.finalize(b));b.clamp();for (var f = this._oKey = b.clone(), g = this._iKey = b.clone(), h = f.words, j = g.words, d = 0; d < c; d++) { + h[d] ^= 1549556828, j[d] ^= 909522486; + }f.sigBytes = g.sigBytes = e;this.reset(); + }, reset: function reset() { + var a = this._hasher;a.reset();a.update(this._iKey); + }, update: function update(a) { + this._hasher.update(a);return this; + }, finalize: function finalize(a) { + var b = this._hasher;a = b.finalize(a);b.reset();return b.finalize(this._oKey.clone().concat(a)); + } }); +})(); +(function () { + var h = CryptoJS, + j = h.lib.WordArray;h.enc.Base64 = { stringify: function stringify(b) { + var e = b.words, + f = b.sigBytes, + c = this._map;b.clamp();b = [];for (var a = 0; a < f; a += 3) { + for (var d = (e[a >>> 2] >>> 24 - 8 * (a % 4) & 255) << 16 | (e[a + 1 >>> 2] >>> 24 - 8 * ((a + 1) % 4) & 255) << 8 | e[a + 2 >>> 2] >>> 24 - 8 * ((a + 2) % 4) & 255, g = 0; 4 > g && a + 0.75 * g < f; g++) { + b.push(c.charAt(d >>> 6 * (3 - g) & 63)); + } + }if (e = c.charAt(64)) for (; b.length % 4;) { + b.push(e); + }return b.join(""); + }, parse: function parse(b) { + var e = b.length, + f = this._map, + c = f.charAt(64);c && (c = b.indexOf(c), -1 != c && (e = c));for (var c = [], a = 0, d = 0; d < e; d++) { + if (d % 4) { + var g = f.indexOf(b.charAt(d - 1)) << 2 * (d % 4), + h = f.indexOf(b.charAt(d)) >>> 6 - 2 * (d % 4);c[a >>> 2] |= (g | h) << 24 - 8 * (a % 4);a++; + } + }return j.create(c, a); + }, _map: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" }; +})(); + +hawk.crypto.utils = CryptoJS; + +// Export if used as a module + +if (typeof module !== 'undefined' && module.exports) { + module.exports = hawk; +} + +/* eslint-enable */ +// $lab:coverage:on$ diff --git a/node_modules/hawk/lib/browser.js b/node_modules/hawk/lib/browser.js new file mode 100755 index 0000000..6635ce5 --- /dev/null +++ b/node_modules/hawk/lib/browser.js @@ -0,0 +1,653 @@ +'use strict'; + +/* + HTTP Hawk Authentication Scheme + Copyright (c) 2012-2016, Eran Hammer <[email protected]> + BSD Licensed +*/ + + +// Declare namespace + +const hawk = { + internals: {} +}; + + +hawk.client = { + + // Generate an Authorization header for a given request + + /* + uri: 'http://example.com/resource?a=b' or object generated by hawk.utils.parseUri() + method: HTTP verb (e.g. 'GET', 'POST') + options: { + + // Required + + credentials: { + id: 'dh37fgj492je', + key: 'aoijedoaijsdlaksjdl', + algorithm: 'sha256' // 'sha1', 'sha256' + }, + + // Optional + + ext: 'application-specific', // Application specific data sent via the ext attribute + timestamp: Date.now() / 1000, // A pre-calculated timestamp in seconds + nonce: '2334f34f', // A pre-generated nonce + localtimeOffsetMsec: 400, // Time offset to sync with server time (ignored if timestamp provided) + payload: '{"some":"payload"}', // UTF-8 encoded string for body hash generation (ignored if hash provided) + contentType: 'application/json', // Payload content-type (ignored if hash provided) + hash: 'U4MKKSmiVxk37JCCrAVIjV=', // Pre-calculated payload hash + app: '24s23423f34dx', // Oz application id + dlg: '234sz34tww3sd' // Oz delegated-by application id + } + */ + + header: function (uri, method, options) { + + const result = { + field: '', + artifacts: {} + }; + + // Validate inputs + + if (!uri || (typeof uri !== 'string' && typeof uri !== 'object') || + !method || typeof method !== 'string' || + !options || typeof options !== 'object') { + + result.err = 'Invalid argument type'; + return result; + } + + // Application time + + const timestamp = options.timestamp || hawk.utils.nowSec(options.localtimeOffsetMsec); + + // Validate credentials + + const credentials = options.credentials; + if (!credentials || + !credentials.id || + !credentials.key || + !credentials.algorithm) { + + result.err = 'Invalid credentials object'; + return result; + } + + if (hawk.crypto.algorithms.indexOf(credentials.algorithm) === -1) { + result.err = 'Unknown algorithm'; + return result; + } + + // Parse URI + + if (typeof uri === 'string') { + uri = hawk.utils.parseUri(uri); + } + + // Calculate signature + + const artifacts = { + ts: timestamp, + nonce: options.nonce || hawk.utils.randomString(6), + method, + resource: uri.resource, + host: uri.host, + port: uri.port, + hash: options.hash, + ext: options.ext, + app: options.app, + dlg: options.dlg + }; + + result.artifacts = artifacts; + + // Calculate payload hash + + if (!artifacts.hash && + (options.payload || options.payload === '')) { + + artifacts.hash = hawk.crypto.calculatePayloadHash(options.payload, credentials.algorithm, options.contentType); + } + + const mac = hawk.crypto.calculateMac('header', credentials, artifacts); + + // Construct header + + const hasExt = artifacts.ext !== null && artifacts.ext !== undefined && artifacts.ext !== ''; // Other falsey values allowed + let header = 'Hawk id="' + credentials.id + + '", ts="' + artifacts.ts + + '", nonce="' + artifacts.nonce + + (artifacts.hash ? '", hash="' + artifacts.hash : '') + + (hasExt ? '", ext="' + hawk.utils.escapeHeaderAttribute(artifacts.ext) : '') + + '", mac="' + mac + '"'; + + if (artifacts.app) { + header += ', app="' + artifacts.app + + (artifacts.dlg ? '", dlg="' + artifacts.dlg : '') + '"'; + } + + result.field = header; + + return result; + }, + + // Generate a bewit value for a given URI + + /* + uri: 'http://example.com/resource?a=b' + options: { + + // Required + + credentials: { + id: 'dh37fgj492je', + key: 'aoijedoaijsdlaksjdl', + algorithm: 'sha256' // 'sha1', 'sha256' + }, + ttlSec: 60 * 60, // TTL in seconds + + // Optional + + ext: 'application-specific', // Application specific data sent via the ext attribute + localtimeOffsetMsec: 400 // Time offset to sync with server time + }; + */ + + bewit: function (uri, options) { + + // Validate inputs + + if (!uri || + (typeof uri !== 'string') || + !options || + typeof options !== 'object' || + !options.ttlSec) { + + return ''; + } + + options.ext = (options.ext === null || options.ext === undefined ? '' : options.ext); // Zero is valid value + + // Application time + + const now = hawk.utils.nowSec(options.localtimeOffsetMsec); + + // Validate credentials + + const credentials = options.credentials; + if (!credentials || + !credentials.id || + !credentials.key || + !credentials.algorithm) { + + return ''; + } + + if (hawk.crypto.algorithms.indexOf(credentials.algorithm) === -1) { + return ''; + } + + // Parse URI + + uri = hawk.utils.parseUri(uri); + + // Calculate signature + + const exp = now + options.ttlSec; + const mac = hawk.crypto.calculateMac('bewit', credentials, { + ts: exp, + nonce: '', + method: 'GET', + resource: uri.resource, // Maintain trailing '?' and query params + host: uri.host, + port: uri.port, + ext: options.ext + }); + + // Construct bewit: id\exp\mac\ext + + const bewit = credentials.id + '\\' + exp + '\\' + mac + '\\' + options.ext; + return hawk.utils.base64urlEncode(bewit); + }, + + // Validate server response + + /* + request: object created via 'new XMLHttpRequest()' after response received or fetch API 'Response' + artifacts: object received from header().artifacts + options: { + payload: optional payload received + required: specifies if a Server-Authorization header is required. Defaults to 'false' + } + */ + + authenticate: function (request, credentials, artifacts, options) { + + options = options || {}; + + const getHeader = function (name) { + + // Fetch API or plain headers + + if (request.headers) { + return (typeof request.headers.get === 'function' ? request.headers.get(name) : request.headers[name]); + } + + // XMLHttpRequest + + return (request.getResponseHeader ? request.getResponseHeader(name) : request.getHeader(name)); + }; + + const wwwAuthenticate = getHeader('www-authenticate'); + if (wwwAuthenticate) { + + // Parse HTTP WWW-Authenticate header + + const wwwAttributes = hawk.utils.parseAuthorizationHeader(wwwAuthenticate, ['ts', 'tsm', 'error']); + if (!wwwAttributes) { + return false; + } + + if (wwwAttributes.ts) { + const tsm = hawk.crypto.calculateTsMac(wwwAttributes.ts, credentials); + if (tsm !== wwwAttributes.tsm) { + return false; + } + + hawk.utils.setNtpSecOffset(wwwAttributes.ts - Math.floor(Date.now() / 1000)); // Keep offset at 1 second precision + } + } + + // Parse HTTP Server-Authorization header + + const serverAuthorization = getHeader('server-authorization'); + if (!serverAuthorization && + !options.required) { + + return true; + } + + const attributes = hawk.utils.parseAuthorizationHeader(serverAuthorization, ['mac', 'ext', 'hash']); + if (!attributes) { + return false; + } + + const modArtifacts = { + ts: artifacts.ts, + nonce: artifacts.nonce, + method: artifacts.method, + resource: artifacts.resource, + host: artifacts.host, + port: artifacts.port, + hash: attributes.hash, + ext: attributes.ext, + app: artifacts.app, + dlg: artifacts.dlg + }; + + const mac = hawk.crypto.calculateMac('response', credentials, modArtifacts); + if (mac !== attributes.mac) { + return false; + } + + if (!options.payload && + options.payload !== '') { + + return true; + } + + if (!attributes.hash) { + return false; + } + + const calculatedHash = hawk.crypto.calculatePayloadHash(options.payload, credentials.algorithm, getHeader('content-type')); + return (calculatedHash === attributes.hash); + }, + + message: function (host, port, message, options) { + + // Validate inputs + + if (!host || typeof host !== 'string' || + !port || typeof port !== 'number' || + message === null || message === undefined || typeof message !== 'string' || + !options || typeof options !== 'object') { + + return null; + } + + // Application time + + const timestamp = options.timestamp || hawk.utils.nowSec(options.localtimeOffsetMsec); + + // Validate credentials + + const credentials = options.credentials; + if (!credentials || + !credentials.id || + !credentials.key || + !credentials.algorithm) { + + // Invalid credential object + return null; + } + + if (hawk.crypto.algorithms.indexOf(credentials.algorithm) === -1) { + return null; + } + + // Calculate signature + + const artifacts = { + ts: timestamp, + nonce: options.nonce || hawk.utils.randomString(6), + host, + port, + hash: hawk.crypto.calculatePayloadHash(message, credentials.algorithm) + }; + + // Construct authorization + + const result = { + id: credentials.id, + ts: artifacts.ts, + nonce: artifacts.nonce, + hash: artifacts.hash, + mac: hawk.crypto.calculateMac('message', credentials, artifacts) + }; + + return result; + }, + + authenticateTimestamp: function (message, credentials, updateClock) { // updateClock defaults to true + + const tsm = hawk.crypto.calculateTsMac(message.ts, credentials); + if (tsm !== message.tsm) { + return false; + } + + if (updateClock !== false) { + hawk.utils.setNtpSecOffset(message.ts - Math.floor(Date.now() / 1000)); // Keep offset at 1 second precision + } + + return true; + } +}; + + +hawk.crypto = { + + headerVersion: '1', + + algorithms: ['sha1', 'sha256'], + + calculateMac: function (type, credentials, options) { + + const normalized = hawk.crypto.generateNormalizedString(type, options); + + const hmac = CryptoJS['Hmac' + credentials.algorithm.toUpperCase()](normalized, credentials.key); + return hmac.toString(CryptoJS.enc.Base64); + }, + + generateNormalizedString: function (type, options) { + + let normalized = 'hawk.' + hawk.crypto.headerVersion + '.' + type + '\n' + + options.ts + '\n' + + options.nonce + '\n' + + (options.method || '').toUpperCase() + '\n' + + (options.resource || '') + '\n' + + options.host.toLowerCase() + '\n' + + options.port + '\n' + + (options.hash || '') + '\n'; + + if (options.ext) { + normalized += options.ext.replace('\\', '\\\\').replace('\n', '\\n'); + } + + normalized += '\n'; + + if (options.app) { + normalized += options.app + '\n' + + (options.dlg || '') + '\n'; + } + + return normalized; + }, + + calculatePayloadHash: function (payload, algorithm, contentType) { + + const hash = CryptoJS.algo[algorithm.toUpperCase()].create(); + hash.update('hawk.' + hawk.crypto.headerVersion + '.payload\n'); + hash.update(hawk.utils.parseContentType(contentType) + '\n'); + hash.update(payload); + hash.update('\n'); + return hash.finalize().toString(CryptoJS.enc.Base64); + }, + + calculateTsMac: function (ts, credentials) { + + const hash = CryptoJS['Hmac' + credentials.algorithm.toUpperCase()]('hawk.' + hawk.crypto.headerVersion + '.ts\n' + ts + '\n', credentials.key); + return hash.toString(CryptoJS.enc.Base64); + } +}; + + +// localStorage compatible interface + +hawk.internals.LocalStorage = function () { + + this._cache = {}; + this.length = 0; + + this.getItem = function (key) { + + return this._cache.hasOwnProperty(key) ? String(this._cache[key]) : null; + }; + + this.setItem = function (key, value) { + + this._cache[key] = String(value); + this.length = Object.keys(this._cache).length; + }; + + this.removeItem = function (key) { + + delete this._cache[key]; + this.length = Object.keys(this._cache).length; + }; + + this.clear = function () { + + this._cache = {}; + this.length = 0; + }; + + this.key = function (i) { + + return Object.keys(this._cache)[i || 0]; + }; +}; + + +hawk.utils = { + + storage: new hawk.internals.LocalStorage(), + + setStorage: function (storage) { + + const ntpOffset = hawk.utils.storage.getItem('hawk_ntp_offset'); + hawk.utils.storage = storage; + if (ntpOffset) { + hawk.utils.setNtpSecOffset(ntpOffset); + } + }, + + setNtpSecOffset: function (offset) { + + try { + hawk.utils.storage.setItem('hawk_ntp_offset', offset); + } + catch (err) { + console.error('[hawk] could not write to storage.'); + console.error(err); + } + }, + + getNtpSecOffset: function () { + + const offset = hawk.utils.storage.getItem('hawk_ntp_offset'); + if (!offset) { + return 0; + } + + return parseInt(offset, 10); + }, + + now: function (localtimeOffsetMsec) { + + return Date.now() + (localtimeOffsetMsec || 0) + (hawk.utils.getNtpSecOffset() * 1000); + }, + + nowSec: function (localtimeOffsetMsec) { + + return Math.floor(hawk.utils.now(localtimeOffsetMsec) / 1000); + }, + + escapeHeaderAttribute: function (attribute) { + + return attribute.replace(/\\/g, '\\\\').replace(/\"/g, '\\"'); + }, + + parseContentType: function (header) { + + if (!header) { + return ''; + } + + return header.split(';')[0].replace(/^\s+|\s+$/g, '').toLowerCase(); + }, + + parseAuthorizationHeader: function (header, keys) { + + if (!header) { + return null; + } + + const headerParts = header.match(/^(\w+)(?:\s+(.*))?$/); // Header: scheme[ something] + if (!headerParts) { + return null; + } + + const scheme = headerParts[1]; + if (scheme.toLowerCase() !== 'hawk') { + return null; + } + + const attributesString = headerParts[2]; + if (!attributesString) { + return null; + } + + const attributes = {}; + const verify = attributesString.replace(/(\w+)="([^"\\]*)"\s*(?:,\s*|$)/g, ($0, $1, $2) => { + + // Check valid attribute names + + if (keys.indexOf($1) === -1) { + return; + } + + // Allowed attribute value characters: !#$%&'()*+,-./:;<=>?@[]^_`{|}~ and space, a-z, A-Z, 0-9 + + if ($2.match(/^[ \w\!#\$%&'\(\)\*\+,\-\.\/\:;<\=>\?@\[\]\^`\{\|\}~]+$/) === null) { + return; + } + + // Check for duplicates + + if (attributes.hasOwnProperty($1)) { + return; + } + + attributes[$1] = $2; + return ''; + }); + + if (verify !== '') { + return null; + } + + return attributes; + }, + + randomString: function (size) { + + const randomSource = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; + const len = randomSource.length; + + const result = []; + for (let i = 0; i < size; ++i) { + result[i] = randomSource[Math.floor(Math.random() * len)]; + } + + return result.join(''); + }, + + // 1 2 3 4 + uriRegex: /^([^:]+)\:\/\/(?:[^@/]*@)?([^\/:]+)(?:\:(\d+))?([^#]*)(?:#.*)?$/, // scheme://credentials@host:port/resource#fragment + parseUri: function (input) { + + const parts = input.match(hawk.utils.uriRegex); + if (!parts) { + return { host: '', port: '', resource: '' }; + } + + const scheme = parts[1].toLowerCase(); + const uri = { + host: parts[2], + port: parts[3] || (scheme === 'http' ? '80' : (scheme === 'https' ? '443' : '')), + resource: parts[4] + }; + + return uri; + }, + + base64urlEncode: function (value) { + + const wordArray = CryptoJS.enc.Utf8.parse(value); + const encoded = CryptoJS.enc.Base64.stringify(wordArray); + return encoded.replace(/\+/g, '-').replace(/\//g, '_').replace(/\=/g, ''); + } +}; + + +// $lab:coverage:off$ +/* eslint-disable */ + +// Based on: Crypto-JS v3.1.2 +// Copyright (c) 2009-2013, Jeff Mott. All rights reserved. +// http://code.google.com/p/crypto-js/ +// http://code.google.com/p/crypto-js/wiki/License + +var CryptoJS = CryptoJS || function (h, r) { var k = {}, l = k.lib = {}, n = function () { }, f = l.Base = { extend: function (a) { n.prototype = this; var b = new n; a && b.mixIn(a); b.hasOwnProperty("init") || (b.init = function () { b.$super.init.apply(this, arguments) }); b.init.prototype = b; b.$super = this; return b }, create: function () { var a = this.extend(); a.init.apply(a, arguments); return a }, init: function () { }, mixIn: function (a) { for (let b in a) a.hasOwnProperty(b) && (this[b] = a[b]); a.hasOwnProperty("toString") && (this.toString = a.toString) }, clone: function () { return this.init.prototype.extend(this) } }, j = l.WordArray = f.extend({ init: function (a, b) { a = this.words = a || []; this.sigBytes = b != r ? b : 4 * a.length }, toString: function (a) { return (a || s).stringify(this) }, concat: function (a) { var b = this.words, d = a.words, c = this.sigBytes; a = a.sigBytes; this.clamp(); if (c % 4) for (let e = 0; e < a; e++) b[c + e >>> 2] |= (d[e >>> 2] >>> 24 - 8 * (e % 4) & 255) << 24 - 8 * ((c + e) % 4); else if (65535 < d.length) for (let e = 0; e < a; e += 4) b[c + e >>> 2] = d[e >>> 2]; else b.push.apply(b, d); this.sigBytes += a; return this }, clamp: function () { var a = this.words, b = this.sigBytes; a[b >>> 2] &= 4294967295 << 32 - 8 * (b % 4); a.length = h.ceil(b / 4) }, clone: function () { var a = f.clone.call(this); a.words = this.words.slice(0); return a }, random: function (a) { for (let b = [], d = 0; d < a; d += 4) b.push(4294967296 * h.random() | 0); return new j.init(b, a) } }), m = k.enc = {}, s = m.Hex = { stringify: function (a) { var b = a.words; a = a.sigBytes; for (var d = [], c = 0; c < a; c++) { var e = b[c >>> 2] >>> 24 - 8 * (c % 4) & 255; d.push((e >>> 4).toString(16)); d.push((e & 15).toString(16)) } return d.join("") }, parse: function (a) { for (var b = a.length, d = [], c = 0; c < b; c += 2) d[c >>> 3] |= parseInt(a.substr(c, 2), 16) << 24 - 4 * (c % 8); return new j.init(d, b / 2) } }, p = m.Latin1 = { stringify: function (a) { var b = a.words; a = a.sigBytes; for (var d = [], c = 0; c < a; c++) d.push(String.fromCharCode(b[c >>> 2] >>> 24 - 8 * (c % 4) & 255)); return d.join("") }, parse: function (a) { for (var b = a.length, d = [], c = 0; c < b; c++) d[c >>> 2] |= (a.charCodeAt(c) & 255) << 24 - 8 * (c % 4); return new j.init(d, b) } }, t = m.Utf8 = { stringify: function (a) { try { return decodeURIComponent(escape(p.stringify(a))) } catch (b) { throw Error("Malformed UTF-8 data"); } }, parse: function (a) { return p.parse(unescape(encodeURIComponent(a))) } }, q = l.BufferedBlockAlgorithm = f.extend({ reset: function () { this._data = new j.init; this._nDataBytes = 0 }, _append: function (a) { "string" == typeof a && (a = t.parse(a)); this._data.concat(a); this._nDataBytes += a.sigBytes }, _process: function (a) { var b = this._data, d = b.words, c = b.sigBytes, e = this.blockSize, f = c / (4 * e), f = a ? h.ceil(f) : h.max((f | 0) - this._minBufferSize, 0); a = f * e; c = h.min(4 * a, c); if (a) { for (var g = 0; g < a; g += e) this._doProcessBlock(d, g); g = d.splice(0, a); b.sigBytes -= c } return new j.init(g, c) }, clone: function () { var a = f.clone.call(this); a._data = this._data.clone(); return a }, _minBufferSize: 0 }); l.Hasher = q.extend({ cfg: f.extend(), init: function (a) { this.cfg = this.cfg.extend(a); this.reset() }, reset: function () { q.reset.call(this); this._doReset() }, update: function (a) { this._append(a); this._process(); return this }, finalize: function (a) { a && this._append(a); return this._doFinalize() }, blockSize: 16, _createHelper: function (a) { return function (b, d) { return (new a.init(d)).finalize(b) } }, _createHmacHelper: function (a) { return function (b, d) { return (new u.HMAC.init(a, d)).finalize(b) } } }); var u = k.algo = {}; return k }(Math); +(() => { var k = CryptoJS, b = k.lib, m = b.WordArray, l = b.Hasher, d = [], b = k.algo.SHA1 = l.extend({ _doReset: function () { this._hash = new m.init([1732584193, 4023233417, 2562383102, 271733878, 3285377520]) }, _doProcessBlock: function (n, p) { for (var a = this._hash.words, e = a[0], f = a[1], h = a[2], j = a[3], b = a[4], c = 0; 80 > c; c++) { if (16 > c) d[c] = n[p + c] | 0; else { var g = d[c - 3] ^ d[c - 8] ^ d[c - 14] ^ d[c - 16]; d[c] = g << 1 | g >>> 31 } g = (e << 5 | e >>> 27) + b + d[c]; g = 20 > c ? g + ((f & h | ~f & j) + 1518500249) : 40 > c ? g + ((f ^ h ^ j) + 1859775393) : 60 > c ? g + ((f & h | f & j | h & j) - 1894007588) : g + ((f ^ h ^ j) - 899497514); b = j; j = h; h = f << 30 | f >>> 2; f = e; e = g } a[0] = a[0] + e | 0; a[1] = a[1] + f | 0; a[2] = a[2] + h | 0; a[3] = a[3] + j | 0; a[4] = a[4] + b | 0 }, _doFinalize: function () { var b = this._data, d = b.words, a = 8 * this._nDataBytes, e = 8 * b.sigBytes; d[e >>> 5] |= 128 << 24 - e % 32; d[(e + 64 >>> 9 << 4) + 14] = Math.floor(a / 4294967296); d[(e + 64 >>> 9 << 4) + 15] = a; b.sigBytes = 4 * d.length; this._process(); return this._hash }, clone: function () { var b = l.clone.call(this); b._hash = this._hash.clone(); return b } }); k.SHA1 = l._createHelper(b); k.HmacSHA1 = l._createHmacHelper(b) })(); +(function (k) { for (var g = CryptoJS, h = g.lib, v = h.WordArray, j = h.Hasher, h = g.algo, s = [], t = [], u = function (q) { return 4294967296 * (q - (q | 0)) | 0 }, l = 2, b = 0; 64 > b;) { var d; a: { d = l; for (var w = k.sqrt(d), r = 2; r <= w; r++) if (!(d % r)) { d = !1; break a } d = !0 } d && (8 > b && (s[b] = u(k.pow(l, 0.5))), t[b] = u(k.pow(l, 1 / 3)), b++); l++ } var n = [], h = h.SHA256 = j.extend({ _doReset: function () { this._hash = new v.init(s.slice(0)) }, _doProcessBlock: function (q, h) { for (var a = this._hash.words, c = a[0], d = a[1], b = a[2], k = a[3], f = a[4], g = a[5], j = a[6], l = a[7], e = 0; 64 > e; e++) { if (16 > e) n[e] = q[h + e] | 0; else { var m = n[e - 15], p = n[e - 2]; n[e] = ((m << 25 | m >>> 7) ^ (m << 14 | m >>> 18) ^ m >>> 3) + n[e - 7] + ((p << 15 | p >>> 17) ^ (p << 13 | p >>> 19) ^ p >>> 10) + n[e - 16] } m = l + ((f << 26 | f >>> 6) ^ (f << 21 | f >>> 11) ^ (f << 7 | f >>> 25)) + (f & g ^ ~f & j) + t[e] + n[e]; p = ((c << 30 | c >>> 2) ^ (c << 19 | c >>> 13) ^ (c << 10 | c >>> 22)) + (c & d ^ c & b ^ d & b); l = j; j = g; g = f; f = k + m | 0; k = b; b = d; d = c; c = m + p | 0 } a[0] = a[0] + c | 0; a[1] = a[1] + d | 0; a[2] = a[2] + b | 0; a[3] = a[3] + k | 0; a[4] = a[4] + f | 0; a[5] = a[5] + g | 0; a[6] = a[6] + j | 0; a[7] = a[7] + l | 0 }, _doFinalize: function () { var d = this._data, b = d.words, a = 8 * this._nDataBytes, c = 8 * d.sigBytes; b[c >>> 5] |= 128 << 24 - c % 32; b[(c + 64 >>> 9 << 4) + 14] = k.floor(a / 4294967296); b[(c + 64 >>> 9 << 4) + 15] = a; d.sigBytes = 4 * b.length; this._process(); return this._hash }, clone: function () { var b = j.clone.call(this); b._hash = this._hash.clone(); return b } }); g.SHA256 = j._createHelper(h); g.HmacSHA256 = j._createHmacHelper(h) })(Math); +(() => { var c = CryptoJS, k = c.enc.Utf8; c.algo.HMAC = c.lib.Base.extend({ init: function (a, b) { a = this._hasher = new a.init; "string" == typeof b && (b = k.parse(b)); var c = a.blockSize, e = 4 * c; b.sigBytes > e && (b = a.finalize(b)); b.clamp(); for (var f = this._oKey = b.clone(), g = this._iKey = b.clone(), h = f.words, j = g.words, d = 0; d < c; d++) h[d] ^= 1549556828, j[d] ^= 909522486; f.sigBytes = g.sigBytes = e; this.reset() }, reset: function () { var a = this._hasher; a.reset(); a.update(this._iKey) }, update: function (a) { this._hasher.update(a); return this }, finalize: function (a) { var b = this._hasher; a = b.finalize(a); b.reset(); return b.finalize(this._oKey.clone().concat(a)) } }) })(); +(() => { var h = CryptoJS, j = h.lib.WordArray; h.enc.Base64 = { stringify: function (b) { var e = b.words, f = b.sigBytes, c = this._map; b.clamp(); b = []; for (var a = 0; a < f; a += 3) for (var d = (e[a >>> 2] >>> 24 - 8 * (a % 4) & 255) << 16 | (e[a + 1 >>> 2] >>> 24 - 8 * ((a + 1) % 4) & 255) << 8 | e[a + 2 >>> 2] >>> 24 - 8 * ((a + 2) % 4) & 255, g = 0; 4 > g && a + 0.75 * g < f; g++) b.push(c.charAt(d >>> 6 * (3 - g) & 63)); if (e = c.charAt(64)) for (; b.length % 4;) b.push(e); return b.join("") }, parse: function (b) { var e = b.length, f = this._map, c = f.charAt(64); c && (c = b.indexOf(c), -1 != c && (e = c)); for (var c = [], a = 0, d = 0; d < e; d++) if (d % 4) { var g = f.indexOf(b.charAt(d - 1)) << 2 * (d % 4), h = f.indexOf(b.charAt(d)) >>> 6 - 2 * (d % 4); c[a >>> 2] |= (g | h) << 24 - 8 * (a % 4); a++ } return j.create(c, a) }, _map: "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" } })(); + + +hawk.crypto.utils = CryptoJS; + +// Export if used as a module + +if (typeof module !== 'undefined' && module.exports) { + module.exports = hawk; +} + +/* eslint-enable */ +// $lab:coverage:on$ diff --git a/node_modules/hawk/lib/client.js b/node_modules/hawk/lib/client.js new file mode 100755 index 0000000..eecc2e3 --- /dev/null +++ b/node_modules/hawk/lib/client.js @@ -0,0 +1,394 @@ +'use strict'; + +// Load modules + +const Url = require('url'); +const Hoek = require('hoek'); +const Cryptiles = require('cryptiles'); +const Crypto = require('./crypto'); +const Utils = require('./utils'); + + +// Declare internals + +const internals = {}; + + +// Generate an Authorization header for a given request + +/* + uri: 'http://example.com/resource?a=b' or object from Url.parse() + method: HTTP verb (e.g. 'GET', 'POST') + options: { + + // Required + + credentials: { + id: 'dh37fgj492je', + key: 'aoijedoaijsdlaksjdl', + algorithm: 'sha256' // 'sha1', 'sha256' + }, + + // Optional + + ext: 'application-specific', // Application specific data sent via the ext attribute + timestamp: Date.now() / 1000, // A pre-calculated timestamp in seconds + nonce: '2334f34f', // A pre-generated nonce + localtimeOffsetMsec: 400, // Time offset to sync with server time (ignored if timestamp provided) + payload: '{"some":"payload"}', // UTF-8 encoded string for body hash generation (ignored if hash provided) + contentType: 'application/json', // Payload content-type (ignored if hash provided) + hash: 'U4MKKSmiVxk37JCCrAVIjV=', // Pre-calculated payload hash + app: '24s23423f34dx', // Oz application id + dlg: '234sz34tww3sd' // Oz delegated-by application id + } +*/ + +exports.header = function (uri, method, options) { + + const result = { + field: '', + artifacts: {} + }; + + // Validate inputs + + if (!uri || (typeof uri !== 'string' && typeof uri !== 'object') || + !method || typeof method !== 'string' || + !options || typeof options !== 'object') { + + result.err = 'Invalid argument type'; + return result; + } + + // Application time + + const timestamp = options.timestamp || Utils.nowSecs(options.localtimeOffsetMsec); + + // Validate credentials + + const credentials = options.credentials; + if (!credentials || + !credentials.id || + !credentials.key || + !credentials.algorithm) { + + result.err = 'Invalid credential object'; + return result; + } + + if (Crypto.algorithms.indexOf(credentials.algorithm) === -1) { + result.err = 'Unknown algorithm'; + return result; + } + + // Parse URI + + if (typeof uri === 'string') { + uri = Url.parse(uri); + } + + // Calculate signature + + const artifacts = { + ts: timestamp, + nonce: options.nonce || Cryptiles.randomString(6), + method, + resource: uri.pathname + (uri.search || ''), // Maintain trailing '?' + host: uri.hostname, + port: uri.port || (uri.protocol === 'http:' ? 80 : 443), + hash: options.hash, + ext: options.ext, + app: options.app, + dlg: options.dlg + }; + + result.artifacts = artifacts; + + // Calculate payload hash + + if (!artifacts.hash && + (options.payload || options.payload === '')) { + + artifacts.hash = Crypto.calculatePayloadHash(options.payload, credentials.algorithm, options.contentType); + } + + const mac = Crypto.calculateMac('header', credentials, artifacts); + + // Construct header + + const hasExt = artifacts.ext !== null && artifacts.ext !== undefined && artifacts.ext !== ''; // Other falsey values allowed + let header = 'Hawk id="' + credentials.id + + '", ts="' + artifacts.ts + + '", nonce="' + artifacts.nonce + + (artifacts.hash ? '", hash="' + artifacts.hash : '') + + (hasExt ? '", ext="' + Hoek.escapeHeaderAttribute(artifacts.ext) : '') + + '", mac="' + mac + '"'; + + if (artifacts.app) { + header = header + ', app="' + artifacts.app + + (artifacts.dlg ? '", dlg="' + artifacts.dlg : '') + '"'; + } + + result.field = header; + + return result; +}; + + +// Validate server response + +/* + res: node's response object + artifacts: object received from header().artifacts + options: { + payload: optional payload received + required: specifies if a Server-Authorization header is required. Defaults to 'false' + } +*/ + +exports.authenticate = function (res, credentials, artifacts, options, callback) { + + artifacts = Hoek.clone(artifacts); + options = options || {}; + + let wwwAttributes = null; + let serverAuthAttributes = null; + + const finalize = function (err) { + + if (callback) { + const headers = { + 'www-authenticate': wwwAttributes, + 'server-authorization': serverAuthAttributes + }; + + return callback(err, headers); + } + + return !err; + }; + + if (res.headers['www-authenticate']) { + + // Parse HTTP WWW-Authenticate header + + wwwAttributes = Utils.parseAuthorizationHeader(res.headers['www-authenticate'], ['ts', 'tsm', 'error']); + if (wwwAttributes instanceof Error) { + wwwAttributes = null; + return finalize(new Error('Invalid WWW-Authenticate header')); + } + + // Validate server timestamp (not used to update clock since it is done via the SNPT client) + + if (wwwAttributes.ts) { + const tsm = Crypto.calculateTsMac(wwwAttributes.ts, credentials); + if (tsm !== wwwAttributes.tsm) { + return finalize(new Error('Invalid server timestamp hash')); + } + } + } + + // Parse HTTP Server-Authorization header + + if (!res.headers['server-authorization'] && + !options.required) { + + return finalize(); + } + + serverAuthAttributes = Utils.parseAuthorizationHeader(res.headers['server-authorization'], ['mac', 'ext', 'hash']); + if (serverAuthAttributes instanceof Error) { + serverAuthAttributes = null; + return finalize(new Error('Invalid Server-Authorization header')); + } + + artifacts.ext = serverAuthAttributes.ext; + artifacts.hash = serverAuthAttributes.hash; + + const mac = Crypto.calculateMac('response', credentials, artifacts); + if (mac !== serverAuthAttributes.mac) { + return finalize(new Error('Bad response mac')); + } + + if (!options.payload && + options.payload !== '') { + + return finalize(); + } + + if (!serverAuthAttributes.hash) { + return finalize(new Error('Missing response hash attribute')); + } + + const calculatedHash = Crypto.calculatePayloadHash(options.payload, credentials.algorithm, res.headers['content-type']); + if (calculatedHash !== serverAuthAttributes.hash) { + return finalize(new Error('Bad response payload mac')); + } + + return finalize(); +}; + + +// Generate a bewit value for a given URI + +/* + uri: 'http://example.com/resource?a=b' or object from Url.parse() + options: { + + // Required + + credentials: { + id: 'dh37fgj492je', + key: 'aoijedoaijsdlaksjdl', + algorithm: 'sha256' // 'sha1', 'sha256' + }, + ttlSec: 60 * 60, // TTL in seconds + + // Optional + + ext: 'application-specific', // Application specific data sent via the ext attribute + localtimeOffsetMsec: 400 // Time offset to sync with server time + }; +*/ + +exports.getBewit = function (uri, options) { + + // Validate inputs + + if (!uri || + (typeof uri !== 'string' && typeof uri !== 'object') || + !options || + typeof options !== 'object' || + !options.ttlSec) { + + return ''; + } + + options.ext = (options.ext === null || options.ext === undefined ? '' : options.ext); // Zero is valid value + + // Application time + + const now = Utils.now(options.localtimeOffsetMsec); + + // Validate credentials + + const credentials = options.credentials; + if (!credentials || + !credentials.id || + !credentials.key || + !credentials.algorithm) { + + return ''; + } + + if (Crypto.algorithms.indexOf(credentials.algorithm) === -1) { + return ''; + } + + // Parse URI + + if (typeof uri === 'string') { + uri = Url.parse(uri); + } + + // Calculate signature + + const exp = Math.floor(now / 1000) + options.ttlSec; + const mac = Crypto.calculateMac('bewit', credentials, { + ts: exp, + nonce: '', + method: 'GET', + resource: uri.pathname + (uri.search || ''), // Maintain trailing '?' + host: uri.hostname, + port: uri.port || (uri.protocol === 'http:' ? 80 : 443), + ext: options.ext + }); + + // Construct bewit: id\exp\mac\ext + + const bewit = credentials.id + '\\' + exp + '\\' + mac + '\\' + options.ext; + return Hoek.base64urlEncode(bewit); +}; + + +// Generate an authorization string for a message + +/* + host: 'example.com', + port: 8000, + message: '{"some":"payload"}', // UTF-8 encoded string for body hash generation + options: { + + // Required + + credentials: { + id: 'dh37fgj492je', + key: 'aoijedoaijsdlaksjdl', + algorithm: 'sha256' // 'sha1', 'sha256' + }, + + // Optional + + timestamp: Date.now() / 1000, // A pre-calculated timestamp in seconds + nonce: '2334f34f', // A pre-generated nonce + localtimeOffsetMsec: 400, // Time offset to sync with server time (ignored if timestamp provided) + } +*/ + +exports.message = function (host, port, message, options) { + + // Validate inputs + + if (!host || typeof host !== 'string' || + !port || typeof port !== 'number' || + message === null || message === undefined || typeof message !== 'string' || + !options || typeof options !== 'object') { + + return null; + } + + // Application time + + const timestamp = options.timestamp || Utils.nowSecs(options.localtimeOffsetMsec); + + // Validate credentials + + const credentials = options.credentials; + if (!credentials || + !credentials.id || + !credentials.key || + !credentials.algorithm) { + + // Invalid credential object + return null; + } + + if (Crypto.algorithms.indexOf(credentials.algorithm) === -1) { + return null; + } + + // Calculate signature + + const artifacts = { + ts: timestamp, + nonce: options.nonce || Cryptiles.randomString(6), + host, + port, + hash: Crypto.calculatePayloadHash(message, credentials.algorithm) + }; + + // Construct authorization + + const result = { + id: credentials.id, + ts: artifacts.ts, + nonce: artifacts.nonce, + hash: artifacts.hash, + mac: Crypto.calculateMac('message', credentials, artifacts) + }; + + return result; +}; + + + diff --git a/node_modules/hawk/lib/crypto.js b/node_modules/hawk/lib/crypto.js new file mode 100755 index 0000000..bfa4586 --- /dev/null +++ b/node_modules/hawk/lib/crypto.js @@ -0,0 +1,128 @@ +'use strict'; + +// Load modules + +const Crypto = require('crypto'); +const Url = require('url'); +const Utils = require('./utils'); + + +// Declare internals + +const internals = {}; + + +// MAC normalization format version + +exports.headerVersion = '1'; // Prevent comparison of mac values generated with different normalized string formats + + +// Supported HMAC algorithms + +exports.algorithms = ['sha1', 'sha256']; + + +// Calculate the request MAC + +/* + type: 'header', // 'header', 'bewit', 'response' + credentials: { + key: 'aoijedoaijsdlaksjdl', + algorithm: 'sha256' // 'sha1', 'sha256' + }, + options: { + method: 'GET', + resource: '/resource?a=1&b=2', + host: 'example.com', + port: 8080, + ts: 1357718381034, + nonce: 'd3d345f', + hash: 'U4MKKSmiVxk37JCCrAVIjV/OhB3y+NdwoCr6RShbVkE=', + ext: 'app-specific-data', + app: 'hf48hd83qwkj', // Application id (Oz) + dlg: 'd8djwekds9cj' // Delegated by application id (Oz), requires options.app + } +*/ + +exports.calculateMac = function (type, credentials, options) { + + const normalized = exports.generateNormalizedString(type, options); + + const hmac = Crypto.createHmac(credentials.algorithm, credentials.key).update(normalized); + const digest = hmac.digest('base64'); + return digest; +}; + + +exports.generateNormalizedString = function (type, options) { + + let resource = options.resource || ''; + if (resource && + resource[0] !== '/') { + + const url = Url.parse(resource, false); + resource = url.path; // Includes query + } + + let normalized = 'hawk.' + exports.headerVersion + '.' + type + '\n' + + options.ts + '\n' + + options.nonce + '\n' + + (options.method || '').toUpperCase() + '\n' + + resource + '\n' + + options.host.toLowerCase() + '\n' + + options.port + '\n' + + (options.hash || '') + '\n'; + + if (options.ext) { + normalized = normalized + options.ext.replace('\\', '\\\\').replace('\n', '\\n'); + } + + normalized = normalized + '\n'; + + if (options.app) { + normalized = normalized + options.app + '\n' + + (options.dlg || '') + '\n'; + } + + return normalized; +}; + + +exports.calculatePayloadHash = function (payload, algorithm, contentType) { + + const hash = exports.initializePayloadHash(algorithm, contentType); + hash.update(payload || ''); + return exports.finalizePayloadHash(hash); +}; + + +exports.initializePayloadHash = function (algorithm, contentType) { + + const hash = Crypto.createHash(algorithm); + hash.update('hawk.' + exports.headerVersion + '.payload\n'); + hash.update(Utils.parseContentType(contentType) + '\n'); + return hash; +}; + + +exports.finalizePayloadHash = function (hash) { + + hash.update('\n'); + return hash.digest('base64'); +}; + + +exports.calculateTsMac = function (ts, credentials) { + + const hmac = Crypto.createHmac(credentials.algorithm, credentials.key); + hmac.update('hawk.' + exports.headerVersion + '.ts\n' + ts + '\n'); + return hmac.digest('base64'); +}; + + +exports.timestampMessage = function (credentials, localtimeOffsetMsec) { + + const now = Utils.nowSecs(localtimeOffsetMsec); + const tsm = exports.calculateTsMac(now, credentials); + return { ts: now, tsm }; +}; diff --git a/node_modules/hawk/lib/index.js b/node_modules/hawk/lib/index.js new file mode 100755 index 0000000..324d3f9 --- /dev/null +++ b/node_modules/hawk/lib/index.js @@ -0,0 +1,17 @@ +'use strict'; + +// Export sub-modules + +exports.error = exports.Error = require('boom'); +exports.sntp = require('sntp'); + +exports.server = require('./server'); +exports.client = require('./client'); +exports.crypto = require('./crypto'); +exports.utils = require('./utils'); + +exports.uri = { + authenticate: exports.server.authenticateBewit, + getBewit: exports.client.getBewit +}; + diff --git a/node_modules/hawk/lib/server.js b/node_modules/hawk/lib/server.js new file mode 100755 index 0000000..c5b02ae --- /dev/null +++ b/node_modules/hawk/lib/server.js @@ -0,0 +1,550 @@ +'use strict'; + +// Load modules + +const Boom = require('boom'); +const Hoek = require('hoek'); +const Cryptiles = require('cryptiles'); +const Crypto = require('./crypto'); +const Utils = require('./utils'); + + +// Declare internals + +const internals = {}; + + +// Hawk authentication + +/* + req: node's HTTP request object or an object as follows: + + const request = { + method: 'GET', + url: '/resource/4?a=1&b=2', + host: 'example.com', + port: 8080, + authorization: 'Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", ext="some-app-ext-data", mac="6R4rV5iE+NPoym+WwjeHzjAGXUtLNIxmo1vpMofpLAE="' + }; + + credentialsFunc: required function to lookup the set of Hawk credentials based on the provided credentials id. + The credentials include the MAC key, MAC algorithm, and other attributes (such as username) + needed by the application. This function is the equivalent of verifying the username and + password in Basic authentication. + + const credentialsFunc = function (id, callback) { + + // Lookup credentials in database + db.lookup(id, function (err, item) { + + if (err || !item) { + return callback(err); + } + + const credentials = { + // Required + key: item.key, + algorithm: item.algorithm, + // Application specific + user: item.user + }; + + return callback(null, credentials); + }); + }; + + options: { + + hostHeaderName: optional header field name, used to override the default 'Host' header when used + behind a cache of a proxy. Apache2 changes the value of the 'Host' header while preserving + the original (which is what the module must verify) in the 'x-forwarded-host' header field. + Only used when passed a node Http.ServerRequest object. + + nonceFunc: optional nonce validation function. The function signature is function(key, nonce, ts, callback) + where 'callback' must be called using the signature function(err). + + timestampSkewSec: optional number of seconds of permitted clock skew for incoming timestamps. Defaults to 60 seconds. + Provides a +/- skew which means actual allowed window is double the number of seconds. + + localtimeOffsetMsec: optional local clock time offset express in a number of milliseconds (positive or negative). + Defaults to 0. + + payload: optional payload for validation. The client calculates the hash value and includes it via the 'hash' + header attribute. The server always ensures the value provided has been included in the request + MAC. When this option is provided, it validates the hash value itself. Validation is done by calculating + a hash value over the entire payload (assuming it has already be normalized to the same format and + encoding used by the client to calculate the hash on request). If the payload is not available at the time + of authentication, the authenticatePayload() method can be used by passing it the credentials and + attributes.hash returned in the authenticate callback. + + host: optional host name override. Only used when passed a node request object. + port: optional port override. Only used when passed a node request object. + } + + callback: function (err, credentials, artifacts) { } + */ + +exports.authenticate = function (req, credentialsFunc, options, callback) { + + callback = Hoek.nextTick(callback); + + // Default options + + options.nonceFunc = options.nonceFunc || internals.nonceFunc; + options.timestampSkewSec = options.timestampSkewSec || 60; // 60 seconds + + // Application time + + const now = Utils.now(options.localtimeOffsetMsec); // Measure now before any other processing + + // Convert node Http request object to a request configuration object + + const request = Utils.parseRequest(req, options); + if (request instanceof Error) { + return callback(Boom.badRequest(request.message)); + } + + // Parse HTTP Authorization header + + const attributes = Utils.parseAuthorizationHeader(request.authorization); + if (attributes instanceof Error) { + return callback(attributes); + } + + // Construct artifacts container + + const artifacts = { + method: request.method, + host: request.host, + port: request.port, + resource: request.url, + ts: attributes.ts, + nonce: attributes.nonce, + hash: attributes.hash, + ext: attributes.ext, + app: attributes.app, + dlg: attributes.dlg, + mac: attributes.mac, + id: attributes.id + }; + + // Verify required header attributes + + if (!attributes.id || + !attributes.ts || + !attributes.nonce || + !attributes.mac) { + + return callback(Boom.badRequest('Missing attributes'), null, artifacts); + } + + // Fetch Hawk credentials + + credentialsFunc(attributes.id, (err, credentials) => { + + if (err) { + return callback(err, credentials || null, artifacts); + } + + if (!credentials) { + return callback(Utils.unauthorized('Unknown credentials'), null, artifacts); + } + + if (!credentials.key || + !credentials.algorithm) { + + return callback(Boom.internal('Invalid credentials'), credentials, artifacts); + } + + if (Crypto.algorithms.indexOf(credentials.algorithm) === -1) { + return callback(Boom.internal('Unknown algorithm'), credentials, artifacts); + } + + // Calculate MAC + + const mac = Crypto.calculateMac('header', credentials, artifacts); + if (!Cryptiles.fixedTimeComparison(mac, attributes.mac)) { + return callback(Utils.unauthorized('Bad mac'), credentials, artifacts); + } + + // Check payload hash + + if (options.payload || + options.payload === '') { + + if (!attributes.hash) { + return callback(Utils.unauthorized('Missing required payload hash'), credentials, artifacts); + } + + const hash = Crypto.calculatePayloadHash(options.payload, credentials.algorithm, request.contentType); + if (!Cryptiles.fixedTimeComparison(hash, attributes.hash)) { + return callback(Utils.unauthorized('Bad payload hash'), credentials, artifacts); + } + } + + // Check nonce + + options.nonceFunc(credentials.key, attributes.nonce, attributes.ts, (err) => { + + if (err) { + return callback(Utils.unauthorized('Invalid nonce'), credentials, artifacts); + } + + // Check timestamp staleness + + if (Math.abs((attributes.ts * 1000) - now) > (options.timestampSkewSec * 1000)) { + const tsm = Crypto.timestampMessage(credentials, options.localtimeOffsetMsec); + return callback(Utils.unauthorized('Stale timestamp', tsm), credentials, artifacts); + } + + // Successful authentication + + return callback(null, credentials, artifacts); + }); + }); +}; + + +// Authenticate payload hash - used when payload cannot be provided during authenticate() + +/* + payload: raw request payload + credentials: from authenticate callback + artifacts: from authenticate callback + contentType: req.headers['content-type'] +*/ + +exports.authenticatePayload = function (payload, credentials, artifacts, contentType) { + + const calculatedHash = Crypto.calculatePayloadHash(payload, credentials.algorithm, contentType); + return Cryptiles.fixedTimeComparison(calculatedHash, artifacts.hash); +}; + + +// Authenticate payload hash - used when payload cannot be provided during authenticate() + +/* + calculatedHash: the payload hash calculated using Crypto.calculatePayloadHash() + artifacts: from authenticate callback +*/ + +exports.authenticatePayloadHash = function (calculatedHash, artifacts) { + + return Cryptiles.fixedTimeComparison(calculatedHash, artifacts.hash); +}; + + +// Generate a Server-Authorization header for a given response + +/* + credentials: {}, // Object received from authenticate() + artifacts: {} // Object received from authenticate(); 'mac', 'hash', and 'ext' - ignored + options: { + ext: 'application-specific', // Application specific data sent via the ext attribute + payload: '{"some":"payload"}', // UTF-8 encoded string for body hash generation (ignored if hash provided) + contentType: 'application/json', // Payload content-type (ignored if hash provided) + hash: 'U4MKKSmiVxk37JCCrAVIjV=' // Pre-calculated payload hash + } +*/ + +exports.header = function (credentials, artifacts, options) { + + // Prepare inputs + + options = options || {}; + + if (!artifacts || + typeof artifacts !== 'object' || + typeof options !== 'object') { + + return ''; + } + + artifacts = Hoek.clone(artifacts); + delete artifacts.mac; + artifacts.hash = options.hash; + artifacts.ext = options.ext; + + // Validate credentials + + if (!credentials || + !credentials.key || + !credentials.algorithm) { + + // Invalid credential object + return ''; + } + + if (Crypto.algorithms.indexOf(credentials.algorithm) === -1) { + return ''; + } + + // Calculate payload hash + + if (!artifacts.hash && + (options.payload || options.payload === '')) { + + artifacts.hash = Crypto.calculatePayloadHash(options.payload, credentials.algorithm, options.contentType); + } + + const mac = Crypto.calculateMac('response', credentials, artifacts); + + // Construct header + + let header = 'Hawk mac="' + mac + '"' + + (artifacts.hash ? ', hash="' + artifacts.hash + '"' : ''); + + if (artifacts.ext !== null && + artifacts.ext !== undefined && + artifacts.ext !== '') { // Other falsey values allowed + + header = header + ', ext="' + Hoek.escapeHeaderAttribute(artifacts.ext) + '"'; + } + + return header; +}; + + +/* + * Arguments and options are the same as authenticate() with the exception that the only supported options are: + * 'hostHeaderName', 'localtimeOffsetMsec', 'host', 'port' + */ + + +// 1 2 3 4 +internals.bewitRegex = /^(\/.*)([\?&])bewit\=([^&$]*)(?:&(.+))?$/; + + +exports.authenticateBewit = function (req, credentialsFunc, options, callback) { + + callback = Hoek.nextTick(callback); + + // Application time + + const now = Utils.now(options.localtimeOffsetMsec); + + // Convert node Http request object to a request configuration object + + const request = Utils.parseRequest(req, options); + if (request instanceof Error) { + return callback(Boom.badRequest(request.message)); + } + + // Extract bewit + + if (request.url.length > Utils.limits.maxMatchLength) { + return callback(Boom.badRequest('Resource path exceeds max length')); + } + + const resource = request.url.match(internals.bewitRegex); + if (!resource) { + return callback(Utils.unauthorized()); + } + + // Bewit not empty + + if (!resource[3]) { + return callback(Utils.unauthorized('Empty bewit')); + } + + // Verify method is GET + + if (request.method !== 'GET' && + request.method !== 'HEAD') { + + return callback(Utils.unauthorized('Invalid method')); + } + + // No other authentication + + if (request.authorization) { + return callback(Boom.badRequest('Multiple authentications')); + } + + // Parse bewit + + const bewitString = Hoek.base64urlDecode(resource[3]); + if (bewitString instanceof Error) { + return callback(Boom.badRequest('Invalid bewit encoding')); + } + + // Bewit format: id\exp\mac\ext ('\' is used because it is a reserved header attribute character) + + const bewitParts = bewitString.split('\\'); + if (bewitParts.length !== 4) { + return callback(Boom.badRequest('Invalid bewit structure')); + } + + const bewit = { + id: bewitParts[0], + exp: parseInt(bewitParts[1], 10), + mac: bewitParts[2], + ext: bewitParts[3] || '' + }; + + if (!bewit.id || + !bewit.exp || + !bewit.mac) { + + return callback(Boom.badRequest('Missing bewit attributes')); + } + + // Construct URL without bewit + + let url = resource[1]; + if (resource[4]) { + url = url + resource[2] + resource[4]; + } + + // Check expiration + + if (bewit.exp * 1000 <= now) { + return callback(Utils.unauthorized('Access expired'), null, bewit); + } + + // Fetch Hawk credentials + + credentialsFunc(bewit.id, (err, credentials) => { + + if (err) { + return callback(err, credentials || null, bewit.ext); + } + + if (!credentials) { + return callback(Utils.unauthorized('Unknown credentials'), null, bewit); + } + + if (!credentials.key || + !credentials.algorithm) { + + return callback(Boom.internal('Invalid credentials'), credentials, bewit); + } + + if (Crypto.algorithms.indexOf(credentials.algorithm) === -1) { + return callback(Boom.internal('Unknown algorithm'), credentials, bewit); + } + + // Calculate MAC + + const mac = Crypto.calculateMac('bewit', credentials, { + ts: bewit.exp, + nonce: '', + method: 'GET', + resource: url, + host: request.host, + port: request.port, + ext: bewit.ext + }); + + if (!Cryptiles.fixedTimeComparison(mac, bewit.mac)) { + return callback(Utils.unauthorized('Bad mac'), credentials, bewit); + } + + // Successful authentication + + return callback(null, credentials, bewit); + }); +}; + + +/* + * options are the same as authenticate() with the exception that the only supported options are: + * 'nonceFunc', 'timestampSkewSec', 'localtimeOffsetMsec' + */ + +exports.authenticateMessage = function (host, port, message, authorization, credentialsFunc, options, callback) { + + callback = Hoek.nextTick(callback); + + // Default options + + options.nonceFunc = options.nonceFunc || internals.nonceFunc; + options.timestampSkewSec = options.timestampSkewSec || 60; // 60 seconds + + // Application time + + const now = Utils.now(options.localtimeOffsetMsec); // Measure now before any other processing + + // Validate authorization + + if (!authorization.id || + !authorization.ts || + !authorization.nonce || + !authorization.hash || + !authorization.mac) { + + return callback(Boom.badRequest('Invalid authorization')); + } + + // Fetch Hawk credentials + + credentialsFunc(authorization.id, (err, credentials) => { + + if (err) { + return callback(err, credentials || null); + } + + if (!credentials) { + return callback(Utils.unauthorized('Unknown credentials')); + } + + if (!credentials.key || + !credentials.algorithm) { + + return callback(Boom.internal('Invalid credentials'), credentials); + } + + if (Crypto.algorithms.indexOf(credentials.algorithm) === -1) { + return callback(Boom.internal('Unknown algorithm'), credentials); + } + + // Construct artifacts container + + const artifacts = { + ts: authorization.ts, + nonce: authorization.nonce, + host, + port, + hash: authorization.hash + }; + + // Calculate MAC + + const mac = Crypto.calculateMac('message', credentials, artifacts); + if (!Cryptiles.fixedTimeComparison(mac, authorization.mac)) { + return callback(Utils.unauthorized('Bad mac'), credentials); + } + + // Check payload hash + + const hash = Crypto.calculatePayloadHash(message, credentials.algorithm); + if (!Cryptiles.fixedTimeComparison(hash, authorization.hash)) { + return callback(Utils.unauthorized('Bad message hash'), credentials); + } + + // Check nonce + + options.nonceFunc(credentials.key, authorization.nonce, authorization.ts, (err) => { + + if (err) { + return callback(Utils.unauthorized('Invalid nonce'), credentials); + } + + // Check timestamp staleness + + if (Math.abs((authorization.ts * 1000) - now) > (options.timestampSkewSec * 1000)) { + return callback(Utils.unauthorized('Stale timestamp'), credentials); + } + + // Successful authentication + + return callback(null, credentials); + }); + }); +}; + + +internals.nonceFunc = function (key, nonce, ts, nonceCallback) { + + return nonceCallback(); // No validation +}; diff --git a/node_modules/hawk/lib/utils.js b/node_modules/hawk/lib/utils.js new file mode 100755 index 0000000..ecb64d3 --- /dev/null +++ b/node_modules/hawk/lib/utils.js @@ -0,0 +1,186 @@ +'use strict'; + +// Load modules + +const Sntp = require('sntp'); +const Boom = require('boom'); + + +// Declare internals + +const internals = {}; + + +exports.version = function () { + + return require('../package.json').version; +}; + + +exports.limits = { + maxMatchLength: 4096 // Limit the length of uris and headers to avoid a DoS attack on string matching +}; + + +// Extract host and port from request + +// $1 $2 +internals.hostHeaderRegex = /^(?:(?:\r\n)?\s)*((?:[^:]+)|(?:\[[^\]]+\]))(?::(\d+))?(?:(?:\r\n)?\s)*$/; // (IPv4, hostname)|(IPv6) + + +exports.parseHost = function (req, hostHeaderName) { + + hostHeaderName = (hostHeaderName ? hostHeaderName.toLowerCase() : 'host'); + const hostHeader = req.headers[hostHeaderName]; + if (!hostHeader) { + return null; + } + + if (hostHeader.length > exports.limits.maxMatchLength) { + return null; + } + + const hostParts = hostHeader.match(internals.hostHeaderRegex); + if (!hostParts) { + return null; + } + + return { + name: hostParts[1], + port: (hostParts[2] ? hostParts[2] : (req.connection && req.connection.encrypted ? 443 : 80)) + }; +}; + + +// Parse Content-Type header content + +exports.parseContentType = function (header) { + + if (!header) { + return ''; + } + + return header.split(';')[0].trim().toLowerCase(); +}; + + +// Convert node's to request configuration object + +exports.parseRequest = function (req, options) { + + if (!req.headers) { + return req; + } + + // Obtain host and port information + + let host; + if (!options.host || + !options.port) { + + host = exports.parseHost(req, options.hostHeaderName); + if (!host) { + return new Error('Invalid Host header'); + } + } + + const request = { + method: req.method, + url: req.url, + host: options.host || host.name, + port: options.port || host.port, + authorization: req.headers.authorization, + contentType: req.headers['content-type'] || '' + }; + + return request; +}; + + +exports.now = function (localtimeOffsetMsec) { + + return Sntp.now() + (localtimeOffsetMsec || 0); +}; + + +exports.nowSecs = function (localtimeOffsetMsec) { + + return Math.floor(exports.now(localtimeOffsetMsec) / 1000); +}; + + +internals.authHeaderRegex = /^(\w+)(?:\s+(.*))?$/; // Header: scheme[ something] +internals.attributeRegex = /^[ \w\!#\$%&'\(\)\*\+,\-\.\/\:;<\=>\?@\[\]\^`\{\|\}~]+$/; // !#$%&'()*+,-./:;<=>?@[]^_`{|}~ and space, a-z, A-Z, 0-9 + + +// Parse Hawk HTTP Authorization header + +exports.parseAuthorizationHeader = function (header, keys) { + + keys = keys || ['id', 'ts', 'nonce', 'hash', 'ext', 'mac', 'app', 'dlg']; + + if (!header) { + return Boom.unauthorized(null, 'Hawk'); + } + + if (header.length > exports.limits.maxMatchLength) { + return Boom.badRequest('Header length too long'); + } + + const headerParts = header.match(internals.authHeaderRegex); + if (!headerParts) { + return Boom.badRequest('Invalid header syntax'); + } + + const scheme = headerParts[1]; + if (scheme.toLowerCase() !== 'hawk') { + return Boom.unauthorized(null, 'Hawk'); + } + + const attributesString = headerParts[2]; + if (!attributesString) { + return Boom.badRequest('Invalid header syntax'); + } + + const attributes = {}; + let errorMessage = ''; + const verify = attributesString.replace(/(\w+)="([^"\\]*)"\s*(?:,\s*|$)/g, ($0, $1, $2) => { + + // Check valid attribute names + + if (keys.indexOf($1) === -1) { + errorMessage = 'Unknown attribute: ' + $1; + return; + } + + // Allowed attribute value characters + + if ($2.match(internals.attributeRegex) === null) { + errorMessage = 'Bad attribute value: ' + $1; + return; + } + + // Check for duplicates + + if (attributes.hasOwnProperty($1)) { + errorMessage = 'Duplicate attribute: ' + $1; + return; + } + + attributes[$1] = $2; + return ''; + }); + + if (verify !== '') { + return Boom.badRequest(errorMessage || 'Bad header format'); + } + + return attributes; +}; + + +exports.unauthorized = function (message, attributes) { + + return Boom.unauthorized(message || null, 'Hawk', attributes); +}; + diff --git a/node_modules/hawk/package.json b/node_modules/hawk/package.json new file mode 100755 index 0000000..424ff42 --- /dev/null +++ b/node_modules/hawk/package.json @@ -0,0 +1,78 @@ +{ + "_from": "hawk@~6.0.2", + "_id": "[email protected]", + "_inBundle": false, + "_integrity": "sha512-miowhl2+U7Qle4vdLqDdPt9m09K6yZhkLDTWGoUiUzrQCn+mHHSmfJgAyGaLRZbPmTqfFFjRV1QWCW0VWUJBbQ==", + "_location": "/hawk", + "_phantomChildren": {}, + "_requested": { + "type": "range", + "registry": true, + "raw": "hawk@~6.0.2", + "name": "hawk", + "escapedName": "hawk", + "rawSpec": "~6.0.2", + "saveSpec": null, + "fetchSpec": "~6.0.2" + }, + "_requiredBy": [ + "/request" + ], + "_resolved": "https://registry.npmjs.org/hawk/-/hawk-6.0.2.tgz", + "_shasum": "af4d914eb065f9b5ce4d9d11c1cb2126eecc3038", + "_spec": "hawk@~6.0.2", + "_where": "/Users/armanshah/Desktop/node-projects/shopping-list/node_modules/request", + "author": { + "name": "Eran Hammer", + "email": "[email protected]", + "url": "http://hueniverse.com" + }, + "babel": { + "presets": [ + "es2015" + ] + }, + "browser": "dist/browser.js", + "bugs": { + "url": "https://github.com/hueniverse/hawk/issues" + }, + "bundleDependencies": false, + "dependencies": { + "boom": "4.x.x", + "cryptiles": "3.x.x", + "hoek": "4.x.x", + "sntp": "2.x.x" + }, + "deprecated": false, + "description": "HTTP Hawk Authentication Scheme", + "devDependencies": { + "babel-cli": "^6.1.2", + "babel-preset-es2015": "^6.1.2", + "code": "4.x.x", + "lab": "14.x.x" + }, + "engines": { + "node": ">=4.5.0" + }, + "homepage": "https://github.com/hueniverse/hawk#readme", + "keywords": [ + "http", + "authentication", + "scheme", + "hawk" + ], + "license": "BSD-3-Clause", + "main": "lib/index.js", + "name": "hawk", + "repository": { + "type": "git", + "url": "git://github.com/hueniverse/hawk.git" + }, + "scripts": { + "build-client": "mkdir -p dist; babel lib/browser.js --out-file dist/browser.js", + "prepublish": "npm run-script build-client", + "test": "lab -a code -t 100 -L", + "test-cov-html": "lab -a code -r html -o coverage.html" + }, + "version": "6.0.2" +} |