HTTP Signature support for Django REST framework (http_signature, outdated implementation)
Project description
Overview
Provides HTTP Signature support for Django REST framework. The HTTP Signature package provides a way to achieve origin authentication and message integrity for HTTP messages. Similar to Amazon’s HTTP Signature scheme, used by many of its services. The HTTP Signature specification is currently an IETF draft.
Installation
Installing the package via the repository:
pip install djangorestframework-httpsignature
The current implementation depends on http_signature by David Lehn, who has updated the original code to match the revised spec. This dependency is reflected in the REQUIREMENTS.txt file, and pip will pull the code from David’s repository.
Troubleshooting
It has been reported that some newer versions of pip might download the requiered package http_signature from PyPI instead of the repository listed in REQUIREMENTS.txt. If this is your case, a workaround is:
git clone https://github.com/etoccalino/django-rest-framework-httpsignature.git
cd django-rest-framework-httpsignature
remove the whole line in REQUIREMENTS.txt that references py-http-signature
pip install the entire line (including the “-e” at the beginning)
pip install -r REQUIREMENTS.txt
Those steps make explicity what should be automatic. Thanks Alberto Gragera for both spotting the problem and providing a solution.
Running the tests
To run the tests for the packages, use the following command on the repository root directory:
python manage.py test
Usage
To authenticate HTTP requests via HTTP signature, you need to:
Install this package in your Django project, as instructed in Installation.
Add rest_framework_httpsignature to your settings.py INSTALLED_APPS.
In your app code, extend the SignatureAuthentication class, as follows:
# my_api/auth.py from rest_framework_httpsignature.authentication import SignatureAuthentication class MyAPISignatureAuthentication(SignatureAuthentication): # The HTTP header used to pass the consumer key ID. # Defaults to 'X-Api-Key'. API_KEY_HEADER = 'X-Api-Key' # A method to fetch (User instance, user_secret_string) from the # consumer key ID, or None in case it is not found. def fetch_user_data(self, api_key): # ... # example implementation: try: user = User.objects.get(api_key=api_key) return (user, user.secret) except User.DoesNotExist: return None
Configure Django REST framework to use you authentication class; e.g.:
# my_project/settings.py # ... REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': ( 'my_api.auth.MyAPISignatureAuthentication', ), 'DEFAULT_PERMISSION_CLASSES': ( 'rest_framework.permissions.IsAuthenticated', ) } # The above will force HTTP signature for all requests. # ...
Roadmap
Currently, the library only support HMAC SHA256 for signing.
The REQUIREMENTS.txt file is fairly strict. It is very possible that previous versions of Django and Django REST framework are supported.
Since HTTP Signature uses a HTTP header for the request date and time, the authentication class could deal with request expiry.
Example usage & session w/cURL
Assuming the setup detailed in Usage, a project running on localhost:8000 could be probed with cURL as follows:
~$ SSS=Base64(Hmac(SECRET, "Date: Mon, 17 Feb 2014 06:11:05 GMT", SHA256)) ~$ curl -v -H 'Date: "Mon, 17 Feb 2014 06:11:05 GMT"' -H 'Authorization: Signature keyId="my-key",algorithm="hmac-sha256",headers="date",signature="SSS"'
And with much less pain, using the modules requests and http_signature:
import requests from http_signature.requests_auth import HTTPSignatureAuth API_KEY_ID = 'su-key' SECRET = 'my secret string' signature_headers = ['request-line', 'accept', 'date', 'host'] headers = { 'Host': 'localhost:8000', 'Accept': 'application/json', 'X-Api-Key': API_KEY_ID, } # We omit the "Date" header, so http_signature adds it. auth = HTTPSignatureAuth(key_id=API_KEY_ID, secret=SECRET, algorithm='hmac-sha256', headers=signature_headers) req = requests.get('http://localhost:8000/resource/', auth=auth, headers=headers) print req.content
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Hashes for djangorestframework-httpsignature-0.1.7.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | e0de1e7cd1462e310640fc4900d1699ac53ec44a228c015b629aff48cf5a6247 |
|
MD5 | ddc68bdf0b40cb4eff5a97e5780cc3a7 |
|
BLAKE2b-256 | ffa9fa311962aa240614f135c9f808f346de34afeae51cb2b0b02f4b46f9b5fa |