Closed
Bug 869951
Opened 11 years ago
Closed 11 years ago
Add support for an HMAC+SHA1 authentication scheme on payloads
Categories
(Webmaker Graveyard :: MakeAPI, enhancement)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: humph, Assigned: cade)
References
Details
(Whiteboard: s=20130722 p=1)
Attachments
(7 files)
|
43 bytes,
text/x-github-pull-request
|
mjschranz
:
review+
jon
:
review+
|
Details | Review |
|
48 bytes,
text/x-github-pull-request
|
mjschranz
:
review+
jon
:
review+
|
Details | Review |
|
56 bytes,
text/x-github-pull-request
|
jon
:
review+
|
Details | Review |
|
48 bytes,
text/x-github-pull-request
|
jon
:
review+
|
Details | Review |
|
56 bytes,
text/x-github-pull-request
|
jon
:
review+
|
Details | Review |
|
43 bytes,
text/x-github-pull-request
|
jon
:
review+
|
Details | Review |
|
43 bytes,
text/x-github-pull-request
|
jon
:
review+
|
Details | Review |
From email: "I think the one thing we should all be aware of is that the payload for each request isn't being signed. This means that if someone can sniff any authenticated call, they'll be able to issue authenticated requests. I'd like to see an HMAC+SHA1 authentication scheme done. This ensures that the payload for the request is signed and immutable. It is also something we have to do in order to support external clients of the MakeAPI. -- Something that I think is coming very soon."
|
||
Comment 1•11 years ago
|
||
We should look at https://github.com/hueniverse/hawk/, it got a recommendation from Ozten on the Identity team: http://ozten.com/psto/2013/05/07/proposal-for-securing-mozilla-web-services-with-hawk/ and a Python implementation too: http://ozten.com/psto/2013/05/07/pyhawk-hawk-for-python/
|
||
Comment 2•11 years ago
|
||
I was just about to paste that in. +1.
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → chris
Status: NEW → ASSIGNED
|
|
||
Comment 3•11 years ago
|
||
Hey :cade, let me know if you've got any questions on this one? -- I'm happy to be a beta tester.
|
|
Assignee | |
Comment 4•11 years ago
|
||
:wex Sure thing! Over the next few weeks I'm going to move into an API Key authentication model for API consuming Apps. Those authenticated requests will probably make use of Hawk.
|
|
Assignee | |
Updated•11 years ago
|
Whiteboard: s=2013w29
|
||
Updated•11 years ago
|
Whiteboard: s=2013w29 → s=2013w29 p=1
|
|
Assignee | |
Comment 5•11 years ago
|
||
So I took a (successful) first stab at this: https://github.com/cadecairos/MakeAPI/commits/bug869951 https://github.com/cadecairos/make-api-client/commits/bug869951 The Create, Update and Delete Routes on the makeapi in this patch are no longer protected with basic auth - they're using Hawk. I created an ApiUser Database model for mongo that stores an API key, an app id (username) and a few other things. keys and user names can be generated using a really crude tool I added to the Make Editor (its at the bottom of the page) API keys are generated using node-uuid ( https://github.com/shtylman/node-uuid ). Hawk uses Mongoose to find the API key for a given user, and attempts to authenticate the call. The makeapi-client code can ONLY do create/update/delete calls if in a node context. Along with the apiURL, you must pass the Make Constructor a hawk object that contains the API key, username and algorithm.
|
|
Assignee | |
Comment 6•11 years ago
|
||
Time to get some eyes on this. NOTE: This doesn't mean we're ready for third party access. We still need to figure out how to handle the identity of creator and tag filtering.
Attachment #778527 -
Flags: review?(schranz.m)
|
|
Assignee | |
Comment 7•11 years ago
|
||
Attachment #778531 -
Flags: review?(schranz.m)
|
|
Assignee | |
Updated•11 years ago
|
Whiteboard: s=2013w29 p=1 → s=20130722 p=1
|
||
Comment 8•11 years ago
|
||
Comment on attachment 778527 [details] [review] https://github.com/mozilla/MakeAPI/pull/113 See pull request comments.
Attachment #778527 -
Flags: review?(schranz.m) → review-
|
|
||
Comment 9•11 years ago
|
||
Comment on attachment 778531 [details] [review] https://github.com/mozilla/makeapi-client/pull/6 See pull request comments.
Attachment #778531 -
Flags: review?(schranz.m) → review-
|
|
Assignee | |
Updated•11 years ago
|
Attachment #778527 -
Flags: review- → review?(schranz.m)
|
|
Assignee | |
Updated•11 years ago
|
Attachment #778531 -
Flags: review- → review?(schranz.m)
|
|
||
Comment 10•11 years ago
|
||
Comment on attachment 778531 [details] [review] https://github.com/mozilla/makeapi-client/pull/6 Again, get others to review.
Attachment #778531 -
Flags: review?(schranz.m) → review+
|
|
||
Comment 11•11 years ago
|
||
Comment on attachment 778527 [details] [review] https://github.com/mozilla/MakeAPI/pull/113 There seems to be an issue with your hawk error handling. The error object I get in my callbacks is null for some reason.
Attachment #778527 -
Flags: review?(schranz.m) → review-
|
|
||
Comment 13•11 years ago
|
||
I was just trying to send a new make to my local make server with these patches running. Now, the error itself isn't important. It happened because it wasn't getting passed new hawk authorization credentials. However the error object I got back was null, making the make itself null and then causing the popcorn maker server to crash.
Flags: needinfo?(schranz.m)
|
|
Assignee | |
Comment 14•11 years ago
|
||
(In reply to Matthew Schranz [:mjschranz] from comment #13) > I was just trying to send a new make to my local make server with these > patches running. How were you sending it? pastebin plz > Now, the error itself isn't important. It happened because it wasn't getting > passed new hawk authorization credentials. However the error object I got "getting passed new hawk autorization credentials" <- wat? > back was null, making the make itself null and then causing the popcorn > maker server to crash.
|
|
Assignee | |
Comment 15•11 years ago
|
||
This patch updates Thimble to use the new API Key Authentication model in the MakeAPI
|
|
Assignee | |
Comment 16•11 years ago
|
||
Updates webmaker.org with API Key Authentication (for delete operations)
|
|
||
Comment 17•11 years ago
|
||
(In reply to Chris DeCairos (:cade) from comment #14) > (In reply to Matthew Schranz [:mjschranz] from comment #13) > > I was just trying to send a new make to my local make server with these > > patches running. > > How were you sending it? pastebin plz https://github.com/mozilla/popcorn.webmaker.org/blob/master/lib/middleware.js#L64-L81 I used an untouched Popcorn Maker. It wasn't passing any of the new "hawk" credentials. It fails your middleware check (as expected) and hits https://github.com/mozilla/MakeAPI/pull/113/files#L1R96. That responding function doesn't return a proper error object. If you look back at the link for how Popcorn Maker sends new makes to the MakeAPI, it should hit the error check. However it does and crashes on line 96.
|
|
Assignee | |
Comment 18•11 years ago
|
||
It shouldn't even be tested with an out of date makeapi-client version. I'm working on a patch for popcorn maker. lets test with up to date code.
|
|
Assignee | |
Comment 19•11 years ago
|
||
MakeAPI ... API Key Authentication for Popcorn Maker
|
|
Assignee | |
Comment 20•11 years ago
|
||
NOTE: All of thimble, popcorn maker and webmaker.org will need the hawk supporting branch of makeapi-client. I discovered the awesomeness of npm link today, https://npmjs.org/doc/link.html (props to @daleee) use the docs there to easily set up each to use a local checked out version of makeapi-client Also, you'll have to go into the admin console on the MakeAPI and issue a set of keys. Pass those keys to your app .env's or configs (for popcorn maker)
|
|
Assignee | |
Updated•11 years ago
|
Attachment #778527 -
Flags: review- → review?(schranz.m)
|
|
Assignee | |
Updated•11 years ago
|
Attachment #778527 -
Flags: review?(jon)
|
|
Assignee | |
Updated•11 years ago
|
Attachment #778531 -
Flags: review?(jon)
|
|
||
Updated•11 years ago
|
Attachment #778527 -
Flags: review?(schranz.m) → review+
|
||
Comment 21•11 years ago
|
||
Comment on attachment 778527 [details] [review] https://github.com/mozilla/MakeAPI/pull/113 Some suggestions in the patch, but this looks pretty close
Attachment #778527 -
Flags: review?(jon) → review-
|
|
||
Comment 22•11 years ago
|
||
Comment on attachment 778531 [details] [review] https://github.com/mozilla/makeapi-client/pull/6 Three things to look at
Attachment #778531 -
Flags: review?(jon) → review-
|
|
Assignee | |
Comment 23•11 years ago
|
||
Comment on attachment 778531 [details] [review] https://github.com/mozilla/makeapi-client/pull/6 updated!
Attachment #778531 -
Flags: review- → review?(jon)
|
|
Assignee | |
Comment 24•11 years ago
|
||
Comment on attachment 778527 [details] [review] https://github.com/mozilla/MakeAPI/pull/113 updated too!
Attachment #778527 -
Flags: review- → review?(jon)
|
|
||
Comment 25•11 years ago
|
||
Comment on attachment 778531 [details] [review] https://github.com/mozilla/makeapi-client/pull/6 One nit about an API path in https://github.com/mozilla/makeapi-client/pull/6#discussion-diff-5376781, r+ with addressing it either way
Attachment #778531 -
Flags: review?(jon) → review+
|
|
||
Comment 26•11 years ago
|
||
Comment on attachment 778527 [details] [review] https://github.com/mozilla/MakeAPI/pull/113 r+, with the potential nit that if you change the path for `makes` vs `make` then it'll need to be updated here
Attachment #778527 -
Flags: review?(jon) → review+
|
||
Comment 27•11 years ago
|
||
Commit pushed to master at https://github.com/mozilla/MakeAPI https://github.com/mozilla/MakeAPI/commit/daccbfa273503fef9a2b8267bb0bb7066a32ebd5 Bug 869951 - API Key Authentication using Hawk
|
|
Assignee | |
Comment 28•11 years ago
|
||
I forgot that I tied up a loose end when POSTing a new make. no longer is it
{ maker: "", make: { /* make data */ } }
it's just:
{ /* make data */ }
I've added some code to make sure we handle both kinds (for now)
Attachment #780503 -
Flags: review?(jon)
|
|
||
Updated•11 years ago
|
Attachment #780503 -
Flags: review?(jon) → review+
|
|
||
Comment 29•11 years ago
|
||
Commit pushed to master at https://github.com/mozilla/MakeAPI https://github.com/mozilla/MakeAPI/commit/71a92a555c9874fd18b13acc9001b386baffb52a Bug 869951 - enable backwards compatible tag filtering
|
|
||
Comment 30•11 years ago
|
||
Commit pushed to master at https://github.com/mozilla/MakeAPI https://github.com/mozilla/MakeAPI/commit/14611866efe9121911f13fefa2183a907f96f167 Bug 869951 - Port override for Hawk if SSL is on
|
|
||
Updated•11 years ago
|
Attachment #779444 -
Flags: review+
|
|
||
Updated•11 years ago
|
Attachment #779408 -
Flags: review+
|
|
||
Updated•11 years ago
|
Attachment #779402 -
Flags: review+
|
|
Assignee | |
Comment 31•11 years ago
|
||
Fix declaring a variable out of scope.
Attachment #780621 -
Flags: review?(jon)
|
|
||
Updated•11 years ago
|
Attachment #780621 -
Flags: review?(jon) → review+
|
|
||
Comment 32•11 years ago
|
||
Commit pushed to master at https://github.com/mozilla/MakeAPI https://github.com/mozilla/MakeAPI/commit/dc912248464f8216d0492730842ce6c60620d7e6 Bug 869951 - Declare hawkOptions in scope of it's use
|
|
||
Comment 33•11 years ago
|
||
Commit pushed to master at https://github.com/mozilla/popcorn.webmaker.org https://github.com/mozilla/popcorn.webmaker.org/commit/e0bac3b004b883ed89930d285398ecee4bd0ba06 Bug 869951 - API Key Authentication with MakeAPI
|
|
||
Comment 34•11 years ago
|
||
Commit pushed to master at https://github.com/mozilla/webmaker.org https://github.com/mozilla/webmaker.org/commit/8fd030c5ca52b5039f1fed3a1c96b48c4d44b571 Bug 869951 - API Key Authentication with MakeAPI
|
|
||
Comment 35•11 years ago
|
||
Commit pushed to master at https://github.com/mozilla/thimble.webmaker.org https://github.com/mozilla/thimble.webmaker.org/commit/a6608a6ed576677e682db59b5e012add3ef0f8b5 Bug 869951 - API Key Authentication with MakeAPI
|
|
Assignee | |
Comment 36•11 years ago
|
||
Shipped MakeAPI, Popcorn Maker, Thimble and Webmaker.org to Production and Enabled API key Authentication. Filed Bug 898138 to remove the deprecated API Filed Bug 898139 to add in Response validation in makeapi-client
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Updated•11 years ago
|
Attachment mime type: text/plain text/plain → text/x-github-pull-request text/x-github-pull-request
|
|
||
Updated•11 years ago
|
Attachment mime type: text/plain text/plain text/plain text/plain text/plain → text/x-github-pull-request text/x-github-pull-request text/x-github-pull-request text/x-github-pull-request text/x-github-pull-request
You need to log in
before you can comment on or make changes to this bug.
Description
•