Package detail

http-signature

TritonDataCenter85mMIT1.4.0

Reference implementation of Joyent's HTTP Signature scheme.

https, request

readme

node-http-signature

node-http-signature is a node.js library that has client and server components for Joyent's HTTP Signature Scheme.

Usage

Note the example below signs a request with the same key/cert used to start an HTTP server. This is almost certainly not what you actually want, but is just used to illustrate the API calls; you will need to provide your own key management in addition to this library.

Client

var fs = require('fs');
var https = require('https');
var httpSignature = require('http-signature');

var key = fs.readFileSync('./key.pem', 'ascii');

var options = {
  host: 'localhost',
  port: 8443,
  path: '/',
  method: 'GET',
  headers: {}
};

// Adds a 'Date' header in, signs it, and adds the
// 'Authorization' header in.
var req = https.request(options, function(res) {
  console.log(res.statusCode);
});


httpSignature.sign(req, {
  key: key,
  keyId: './cert.pem',
  keyPassphrase: 'secret' // (optional)
});

req.end();

Server

var fs = require('fs');
var https = require('https');
var httpSignature = require('http-signature');

var options = {
  key: fs.readFileSync('./key.pem'),
  cert: fs.readFileSync('./cert.pem')
};

https.createServer(options, function (req, res) {
  var rc = 200;
  var parsed = httpSignature.parseRequest(req);
  var pub = fs.readFileSync(parsed.keyId, 'ascii');
  if (!httpSignature.verifySignature(parsed, pub))
    rc = 401;

  res.writeHead(rc);
  res.end();
}).listen(8443);

Installation

npm install http-signature

License

MIT.

Bugs

See https://github.com/joyent/node-http-signature/issues.

changelog

node-http-signature changelog

not yet released

(nothing yet)

1.4.0

Update sshpk for ed25519 support

1.3.6

Update jsprim due to vulnerability in json-schema (#123)

1.3.5

Add keyPassphrase option to signer (#115)
Add support for created and expires values (#110)

1.3.4

Fix breakage in v1.3.3 with the setting of the "algorithm" field in the Authorization header (#102)

1.3.3

Bad release. Use 1.3.4.

Add support for an opaque param in the Authorization header (#101)
Add support for adding the keyId and algorithm params into the signing string (#100)

1.3.2

Allow Buffers to be used for verifyHMAC (#98)

1.3.1

Fix node 0.10 usage (#90)

1.3.0

Known issue: This release broken http-signature with node 0.10.

Bump dependency sshpk
Add Signature header support (#83)

1.2.0

Bump dependency assert-plus
Add ability to pass a custom header name
Replaced dependency node-uuid with uuid

1.1.1

Version of dependency assert-plus updated: old version was missing some license information
Corrected examples in http_signing.md, added auto-tests to automatically validate these examples

1.1.0

Bump version of sshpk dependency, remove peerDependency on it since it now supports exchanging objects between multiple versions of itself where possible

1.0.2

Bump min version of jsprim dependency, to include fixes for using http-signature with browserify

1.0.1

Bump minimum version of sshpk dependency, to include fixes for whitespace tolerance in key parsing.

1.0.0

First semver release.
36: Ensure verifySignature does not leak useful timing information
42: Bring the library up to the latest version of the spec (including the
```
 request-target changes)
```
Support for ECDSA keys and signatures.
Now uses sshpk for key parsing, validation and conversion.
Fixes for #21, #47, #39 and compatibility with node 0.8

0.11.0

Split up HMAC and Signature verification to avoid vulnerabilities where a key intended for use with one can be validated against the other method instead.

0.10.2

Updated versions of most dependencies.
Utility functions exported for PEM => SSH-RSA conversion.
Improvements to tests and examples.