Library for Hawk HTTP authorization
Mohawk is an alternate Python implementation of the Hawk HTTP authorization scheme.
If you don’t see any documentation here it probably means the lib is unstable and you shouldn’t use it.
- Implement bewit. The bewit URI scheme is not implemented at this time.
- Make content hash checking optional per spec. Right now you’ll get a failure if the sender or receiver isn’t hashing their content.
- I started using PyHawk because it was written by Austin King and he’s awesome.
- PyHawk is a direct port from Node but this did not seem to fit right with Python, especially in how Node’s style is to attempt internal error recovery and Python’s style is to raise exceptions that calling code can recover from.
- I was paranoid about how PyHawk (and maybe the Node lib too) makes it easy to ignore content hashing. If programmers accidentally disregard hash checks then that would be bad.
- I started patching PyHawk but became confused about the lifecycle of the request/response.
- PyHawk didn’t have a lot of tests for edge cases (like content tampering) so it was hard to patch.
- I started on some Django middleware using PyHawk and found myself creating a lot of adapters for undocumented internal dictionary structures which felt wrong.
- The PyHawk/Node API relies on pre-generated header artifacts but this feels clunky to me. I wanted that to be an implementation detail.
- The required order in which you need to pre-generate artifacts is not implicitly enforced by the PyHawk/Node API which can lead to mistakes if programmers re-use objects across requests.
- I re-wrote the class/function interface into something that I thought made sense then I re-wrote it three more times until it started to actually make sense.
- I developed test first with a comprehensive suite focusing on the threat model that Hawk is designed to protect you from. This helped me arrive at an API that should help developers write secure applications by default.
- I re-used a lot of PyHawk code :)
- 0.0.4 (2014-02-11)
- Bug fix: response processing now re-uses sender’s nonce and timestamp per the Node Hawk lib
- No longer assume content-type: text/plain if content type is not specificed
- 0.0.3 (2014-02-07)
- Bug fix: Macs were made using URL safe base64 encoding which differs from the Node Hawk lib (it just uses regular base64)
- exposed localtime_in_seconds on TokenExpired exception per Hawk spec
- better localtime offset and skew handling
- 0.0.2 (2014-02-06)
- Responding with a custom ext now works
- Protected app and dlg according to spec when accepting responses
- 0.0.1 (2014-02-05)
- initial release of partial implementation