Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/gremo/gremohmacauthenticationbundle
Symfony bundle adding REST HMAC HTTP authentication
https://github.com/gremo/gremohmacauthenticationbundle
Last synced: about 2 months ago
JSON representation
Symfony bundle adding REST HMAC HTTP authentication
- Host: GitHub
- URL: https://github.com/gremo/gremohmacauthenticationbundle
- Owner: gremo
- Created: 2014-10-15T22:07:56.000Z (about 10 years ago)
- Default Branch: master
- Last Pushed: 2021-04-16T11:11:58.000Z (over 3 years ago)
- Last Synced: 2024-09-08T01:50:52.298Z (4 months ago)
- Language: PHP
- Homepage:
- Size: 16.6 KB
- Stars: 5
- Watchers: 2
- Forks: 2
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- Security: Security/Authentication/HmacUserToken.php
Awesome Lists containing this project
README
# GremoHmacAuthenticationBundle
[![Latest stable](https://img.shields.io/packagist/v/gremo/hmac-authentication-bundle.svg?style=flat-square)](https://packagist.org/packages/gremo/hmac-authentication-bundle) [![Downloads total](https://img.shields.io/packagist/dt/gremo/hmac-authentication-bundle.svg?style=flat-square)](https://packagist.org/packages/gremo/hmac-authentication-bundle) [![GitHub issues](https://img.shields.io/github/issues/gremo/GremoHmacAuthenticationBundle.svg?style=flat-square)](https://github.com/gremo/GremoHmacAuthenticationBundle/issues)Symfony bundle adding REST HMAC HTTP authentication.
## Installation
```json
{
"require": {
"gremo/hmac-authentication-bundle": "~1.0"
},
}
```Register the bundle in your `app/AppKernel.php`:
```php
public function registerBundles()
{
$bundles = array(
// ...
new Gremo\HmacAuthenticationBundle\GremoHmacAuthenticationBundle(),
);
// ...
}
```## Configuration
Not needed.## Usage
Protect part of your application in `security.yml` using the `hmac` key:```yml
# ...
firewalls:
# ...
hmac_secured:
pattern: ^/api
stateless: true # HMAC is stateless!
hmac:
auth_header: Authorization # Name of the header to inspect
service_label: HMAC # Service name/id
algorithm: sha256 # Hashing algoritm, see hash_algos()
verify_headers: [] # Array or comma-separated list of headers
```## How it works
The authentication manager will inspect the `auth_header` header with the following pattern:```
: :
```If the service label matches, the manager loads the user with `` username. The password is used to re-compute the signature, base64-enconding the hashed canonical string:
```
= + "\n" +
+ "\n" +
+ "\n" +
+ "\n" +
...
;
```Note that both **query params and headers are sorted** before calculating the signature.
Consider the following **configuration**:
```yml
security:
# ...
providers:
in_memory:
memory:
users:
foo: { password: bar }firewalls:
hmac_secured:
pattern: ^/
stateless: true
provider: in_memory
hmac:
auth_header: Authorization
service_label: HMAC
algorithm: sha256
verify_headers: [Date, Accept, Content-MD5]# ...
```And the **raw HTTP request**:
```
GET /?b=c&a= HTTP/1.1
Accept: application/json
Host: localhost:8080
Authorization: HMAC foo:ZWQyNmYwZWM1MmZkYmIyNTgzYjJiYWQ2Zjg3OGJkYjIzNzU2YTBlYjQ3NGY5ZDg1YWE5ZjYwN2Q1ODg1NWI1MQ==
Date: Mon, 26 Mar 2007 19:37:58 +0000
```The **canonical string** would be (note the LF where `Content-MD5` should appear):
```
GET
/?a=&b=c
application/jsonMon, 26 Mar 2007 19:37:58 +0000
```The **hashed value** is (plain password is `bar`):
```
ed26f0ec52fdbb2583b2bad6f878bdb23756a0eb474f9d85aa9f607d58855b51
```And finally the **base64 encoded value** (that is the signature of `Authorization` header):
```
ZWQyNmYwZWM1MmZkYmIyNTgzYjJiYWQ2Zjg3OGJkYjIzNzU2YTBlYjQ3NGY5ZDg1YWE5ZjYwN2Q1ODg1NWI1MQ==
```