Crypto Keypair Authorization for Django Rest Framework
Project description
Crypto Keypair Authorization for Django Rest Framework
For full documentation visit drf-keypair-permissions.readthedocs.io.
This Django module was created to give "Cavage" HTTP Signatures capabilities to the Django Rest Framework.
This enables HTTP authorization based on public key/private key encryption as an alternative to session cookies or API tokens.
In your Django code, it looks like this:
from keypair_permissions.permissions import HasHttpCryptoAuthorization
class EchoServerApiView(GenericApiView):
permission_classes = [HasHttpCryptoAuthorization]
def get(self, request):
return Response(request.body)
Doing so will require an Authorization
HTTP header that looks like this:
HTTP/1.1 POST /foo
Authorization: Signature algorithm="hs2019",keyId="keyname",signature="MEUCIGGB0P3P/iZCzCbX1fj1Q6AbYPJr9dEBYcsuiLoS3q6uAiEAkEjvmWfuN1UDPmYCkBywnI/MwisCuNEmlAxPB3ZBVgc="
... other headers ...
This authorization header is created by signing Request headers with a private key on the client. The server then verifies the Request was sent by a known client by verifying the signature using the client's public key.
Additionally, a Digest
header can be added to ensure the Request body was transported in tact:
Digest: SHA512=WZDPaVn/7XgHaAy8pmojAkGWoRx2UFChF41A2svX+TaPm+AbwAgBWnrIiYllu7BNNyealdVLvRwEmTHWXvJwew==
Each public key can be associated with a Django User, so the User can be accessed from the View:
class EchoServerApiView(GenericApiView):
permission_classes = [HasHttpCryptoAuthorization]
def get(self, request):
user = request.public_key.user
return Response(request.body)
For more information see Draft Cavage HTTP Signatures 12
Quickstart
Install:
$ pip install drf-keypair-permissions
Add keypair_permissions
to your settings.INSTALLED_APPS
:
settings.py
:
INSTALLED_APPS = [
...
'keypair_permissions',
]
Migrate the database
$ ./manage.py makemigrations
$ ./manage.py migrate
Include to your project
views.py
:
from keypair_permissions.permissions import HasHttpCryptoAuthorization
Set the permission_classes
of API views to include HasHttpCryptoAuthorization
:
class EchoServerApiView(GenericApiView):
permission_classes = [HasHttpCryptoAuthorization]
def get(self, request):
return Response(request.body)
Or use across your entire API by setting REST_FRAMEWORK['DEFAULT_PERMISSION_CLASSES']
:
REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': [
'keypair_permissions.permissions.HasHttpCryptoAuthorization',
]
}
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for drf-keypair-permissions-1.0.1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 178f06ec0f39900bb4aaf6d607a953d518f389162c378753a90f4e645c1075f5 |
|
MD5 | c3ead571884c1b3cc85d6f85680390ac |
|
BLAKE2b-256 | 6508fa6aa4384cf74ed7463620837a418da6eae63f2eaa5d1f7db031f47bf315 |
Hashes for drf_keypair_permissions-1.0.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | cb97ac8cf7d4ae21088297362ef4b5258ab0bcd2fc0973ea9ac46427cf3d5f61 |
|
MD5 | fddf7295b2785027d1bacbca644a504d |
|
BLAKE2b-256 | cfe825d95a03507727850617b2eb05cae69d2db2c838f5d5993739b496174435 |