{"id":28640779,"url":"https://github.com/pd/apiauth","last_synced_at":"2025-06-12T20:08:23.662Z","repository":{"id":31606611,"uuid":"35171551","full_name":"pd/apiauth","owner":"pd","description":"ApiAuth-compatible package for signing and verifying HTTP requests in golang.","archived":false,"fork":false,"pushed_at":"2023-02-15T20:31:09.000Z","size":13,"stargazers_count":8,"open_issues_count":0,"forks_count":5,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-10-23T22:30:59.487Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://github.com/pd/apiauth","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/pd.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"MIT-LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2015-05-06T16:54:53.000Z","updated_at":"2020-12-10T16:23:11.000Z","dependencies_parsed_at":"2024-06-19T03:51:14.319Z","dependency_job_id":"dc2048ef-9ee3-428e-aa8f-099f35089923","html_url":"https://github.com/pd/apiauth","commit_stats":null,"previous_names":[],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/pd/apiauth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pd%2Fapiauth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pd%2Fapiauth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pd%2Fapiauth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pd%2Fapiauth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/pd","download_url":"https://codeload.github.com/pd/apiauth/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/pd%2Fapiauth/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259522118,"owners_count":22870449,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-12T20:08:23.073Z","updated_at":"2025-06-12T20:08:23.653Z","avatar_url":"https://github.com/pd.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# apiauth [![Build Status](https://travis-ci.org/pd/apiauth.png)](https://travis-ci.org/pd/apiauth) [![GoDoc](https://godoc.org/github.com/pd/apiauth?status.png)](https://godoc.org/github.com/pd/apiauth)\n\n[ApiAuth][]-compatible package for signing and verifying HTTP requests in golang.\n\n## IMPORTANT!: Security Update\nIn order to prevent a security vulnerability present in the reference version of\n[ApiAuth][] we have added functions in order to sign and verify requests with a\ncanonical string that includes the HTTP method. We have added the fucntions\n`SignWithMethod` and `CanonicalStringWithMethod`, and the `Verify` function has\nbeen modified to accept requests where the request signature matches\n`CanonicalString` OR `CanonicalStringWithMethod`. In the future the old versions\nwill be removed and canonical strings will only be considered a match if they \ninclude the request method. We recommend you start using the new way of siging\nrequests immediately.\n\n## Usage\n\nSigning a request:\n\n~~~go\nimport \"github.com/pd/apiauth\"\n\nreq, _ := http.NewRequest(\"GET\", \"http://example.com\", nil)\n\n// The `Date` header _must_ be present.\n// If the request body is set, `Content-Type` and `Content-MD5` must\n// also be present.\nreq.Header.Set(\"Date\", apiauth.Date())\n\nerr := apiauth.Sign(req, \"access_id\", \"secret_key\")\n~~~\n\nVerifying a request:\n\n~~~go\nerr := apiauth.Verify(req, \"secret_key\")\nif err != nil {\n  // Failed.\n}\n~~~\n\nFunctions are exposed for the lower-level operations, as well, in case you need more granular control:\n\n~~~go\n// Given a request, returns the `\u003cContent-Type\u003e,\u003cMD5\u003e,\u003cURI\u003e,\u003cDate\u003e` string used for the HMAC.\nstr := apiauth.CanonicalString(req)\n\n// Given a canonical string and secret key, computes the signature using HMAC-SHA1:\nsignature := apiauth.Compute(str, \"secret_key\")\n\n// A helper for generating a RFC1123-formatted date using the current time:\napiauth.Date()\n\n// Or a given time:\nt := time.Date(2009, time.November, 10, 23, 0, 0, 0, time.UTC)\napiauth.DateForTime(t)\n~~~\n\n## Caveats\n\nThis implementation is intentionally somewhat less \"friendly\" than mgomes' [Ruby implementation][ApiAuth]:\n\n* Only the `Authorization` header is set for you by `apiauth.Sign`; setting the `Date`, `Content-Type`\n  and `Content-MD5` headers is the caller's responsibility.\n* The `apiauth.Verify` function does *not* enforce a maximum time duration between the `Date` header\n  in a request and the matching `Date` value computed by the server. Protection against replay attacks\n  is the caller's responsibility. (**NB**: but maybe shouldn't be; I'm just being lazy right now, as\n  it's already handled in the application I'm writing this for)\n* The `apiauth.Verify` function does *not* validate the `Content-MD5` header: doing so would require\n  reading the entire request body into memory at least once, which is undesirable in many use cases.\n  Verification of the payload MD5 is the caller's responsibility.\n\n[ApiAuth]: https://github.com/mgomes/api_auth\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpd%2Fapiauth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpd%2Fapiauth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpd%2Fapiauth/lists"}