HTTP Signature support for Django REST framework
Project description
drf-httpsig
Overview
Provides HTTP Signature support for Django REST framework. The HTTP Signature package provides a way to achieve origin authentication and message integrity for HTTP messages. Similar to Amazon’s HTTP Signature scheme, used by many of its services. The HTTP Signature specification is currently an IETF draft.
Installation
Installing the package via the repository:
pip install drf-httpsig
The current implementation depends on the httpsig package, which is a modified version of the http_signature package by David Lehn.
Running the tests
To run the tests for the packages, use the following command on the repository root directory:
python manage.py test
Usage
To authenticate HTTP requests via HTTP signature, you need to:
Install this package in your Django project, as instructed in Installation.
Add drf_httpsig to your settings.py INSTALLED_APPS.
In your app code, extend the SignatureAuthentication class, as follows:
# my_api/auth.py from drf_httpsig.authentication import SignatureAuthentication class MyAPISignatureAuthentication(SignatureAuthentication): # The HTTP header used to pass the consumer key ID. # A method to fetch (User instance, user_secret_string) from the # consumer key ID, or None in case it is not found. def fetch_user_data(self, keyId): # ... # example implementation: try: user = User.objects.get(keyId=keyId) return (user, user.secret) except User.DoesNotExist: return (None, None)
Configure Django REST framework to use you authentication class; e.g.:
# my_project/settings.py # ... REST_FRAMEWORK = { 'DEFAULT_AUTHENTICATION_CLASSES': ( 'my_api.auth.MyAPISignatureAuthentication', ), 'DEFAULT_PERMISSION_CLASSES': ( 'rest_framework.permissions.IsAuthenticated', ) } # The above will force HTTP signature for all requests. # ...
Roadmap
Currently, the library only supports HMAC-SHA256 for signing.
Since HTTP Signature uses a HTTP header for the request date and time, the authentication class could deal with request expiry.
Example usage & session w/cURL
Assuming the setup detailed in Usage, a project running on localhost:8000 could be probed with cURL as follows:
~$ SSS=Base64(Hmac(SECRET, "Date: Mon, 17 Feb 2014 06:11:05 GMT", SHA256)) ~$ curl -v -H 'Date: "Mon, 17 Feb 2014 06:11:05 GMT"' -H 'Authorization: Signature keyId="my-key",algorithm="hmac-sha256",headers="date",signature="SSS"'
And with much less pain, using the modules requests and http_signature:
import requests from http_signature.requests_auth import HTTPSignatureAuth KEY_ID = 'su-key' SECRET = 'my secret string' signature_headers = ['request-line', 'accept', 'date', 'host'] headers = { 'Host': 'localhost:8000', 'Accept': 'application/json', 'Date': "Mon, 17 Feb 2014 06:11:05 GMT" } auth = HTTPSignatureAuth(key_id=KEY_ID, secret=SECRET, algorithm='hmac-sha256', headers=signature_headers) req = requests.get('http://localhost:8000/resource/', auth=auth, headers=headers) print req.content
drf-httpsig Changes
v1.0b2 (2014-Jul-01)
Added versioneer.
Updated requirements to use latest httpsig.
Added “setup.py test” and tox support.
Fixed a unit test.
v1.0b1 (2014-Jun-27)
Renamed to drf-httpsig because I don’t hate my hands.
Updated requirements versions to be more sane.
Switched to a different branch for http_signature.
Removed API_KEY_HEADER in favor of the keyId, per spec.
Cleaned up the repo a bit.
Cleaned up the code a bit.
djangorestframework-httpsignature (previous)
v0.1.5, 20140613 – Document installation issue
Document workaround on installation problems.
v0.1.4, 20140613 – Improve installation
Make requirements file comply with docs.
Decide on http_signature commit.
v0.1.3, 20140220 – Upload to PyPI
Prepare docs to upload package to PyPI
v0.1.2, 20140219 – Package data and clean up
Updated package classifiers
Cleaned up unused code in authentication.py
v0.1.1, 20140217 – Documentation and clean up
The package can be installed.
Continuous integration via Travis.
Unit tests for the authentication code.
General docuementation in the README file.
v0.1.0, 20140217 – Initial release
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Hashes for drf_httpsig-1.0.0-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 1f6e2dd700d27e47f9a93bd997390c1b0efc294904728fc6aa727bc0574da4a3 |
|
MD5 | bc92857a1bc71de966ac4e1669a5fd24 |
|
BLAKE2b-256 | 76b4b38b10a8118b526fa85bd36da71988c3c9d8156feac1a33bef20d424571b |