Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/pyauth/requests-http-signature

A Requests auth module for the IETF HTTP Message Signatures draft standard
https://github.com/pyauth/requests-http-signature

authentication hmac http http-message-signatures http-signature python python-requests

Last synced: about 1 month ago
JSON representation

A Requests auth module for the IETF HTTP Message Signatures draft standard

Host: GitHub
URL: https://github.com/pyauth/requests-http-signature
Owner: pyauth
License: apache-2.0
Created: 2017-08-21T23:59:07.000Z (about 7 years ago)
Default Branch: develop
Last Pushed: 2023-04-12T01:58:52.000Z (over 1 year ago)
Last Synced: 2024-05-19T07:28:01.213Z (4 months ago)
Topics: authentication, hmac, http, http-message-signatures, http-signature, python, python-requests
Language: Python
Homepage: https://pyauth.github.io/requests-http-signature/
Size: 2.6 MB
Stars: 70
Watchers: 5
Forks: 23
Open Issues: 3
Metadata Files:
- Readme: README.rst
- Changelog: Changes.rst
- Funding: .github/FUNDING.yml
- License: LICENSE

Awesome Lists containing this project

starred-awesome - requests-http-signature - A Requests auth module for the HTTP Signature IETF draft standard RFC (Python)

README

        requests-http-signature: A Requests auth module for HTTP Signature

==================================================================

**requests-http-signature** is a `Requests `_ `authentication plugin

`_ (``requests.auth.AuthBase`` subclass) implementing

the

`IETF RFC 9421 HTTP Message Signatures standard `_.

Installation

------------

::

    $ pip install requests-http-signature

Usage

-----

.. code-block:: python

  import requests

  from requests_http_signature import HTTPSignatureAuth, algorithms

  

  preshared_key_id = 'squirrel'

  preshared_secret = b'monorail_cat'

  url = 'https://example.com/'

  auth = HTTPSignatureAuth(key=preshared_secret,

                           key_id=preshared_key_id,

                           signature_algorithm=algorithms.HMAC_SHA256)

  requests.get(url, auth=auth)

By default, only the ``Date`` header and the ``@method``, ``@authority``, and ``@target-uri`` derived component

identifiers are signed for body-less requests such as GET. The ``Date`` header is set if it is absent. In addition,

the ``Authorization`` header is signed if it is present, and for requests with bodies (such as POST), the

``Content-Digest`` header is set to the SHA256 of the request body using the format described in the

`IETF Digest Fields draft `_ and signed.

To add other headers to the signature, pass an array of header names in the ``covered_component_ids`` keyword argument.

See the `API documentation `_ for the full list of options and

details.

Verifying responses

~~~~~~~~~~~~~~~~~~~

The class method ``HTTPSignatureAuth.verify()`` can be used to verify responses received back from the server:

.. code-block:: python

  class MyKeyResolver:

      def resolve_public_key(self, key_id):

          assert key_id == 'squirrel'

          return 'monorail_cat'

  response = requests.get(url, auth=auth)

  verify_result = HTTPSignatureAuth.verify(response,

                                           signature_algorithm=algorithms.HMAC_SHA256,

                                           key_resolver=MyKeyResolver())

More generally, you can reconstruct an arbitrary request using the

`Requests API `_ and pass it to ``verify()``:

.. code-block:: python

  request = requests.Request(...)  # Reconstruct the incoming request using the Requests API

  prepared_request = request.prepare()  # Generate a PreparedRequest

  HTTPSignatureAuth.verify(prepared_request, ...)

To verify incoming requests and sign responses in the context of an HTTP server, see the

`flask-http-signature `_ and

`http-message-signatures `_ packages.

.. admonition:: See what is signed

 It is important to understand and follow the best practice rule of "See what is signed" when verifying HTTP message

 signatures. The gist of this rule is: if your application neglects to verify that the information it trusts is

 what was actually signed, the attacker can supply a valid signature but point you to malicious data that wasn't signed

 by that signature. Failure to follow this rule can lead to vulnerability against signature wrapping and substitution

 attacks.

 In requests-http-signature, you can ensure that the information signed is what you expect to be signed by only trusting

 the data returned by the ``verify()`` method::

   verify_result = HTTPSignatureAuth.verify(message, ...)

See the `API documentation `_ for full details.

Asymmetric key algorithms

~~~~~~~~~~~~~~~~~~~~~~~~~

To sign or verify messages with an asymmetric key algorithm, set the ``signature_algorithm`` keyword argument to

``algorithms.ED25519``, ``algorithms.ECDSA_P256_SHA256``, ``algorithms.RSA_V1_5_SHA256``, or

``algorithms.RSA_PSS_SHA512``.

For asymmetric key algorithms, you can supply the private key as the ``key`` parameter to the ``HTTPSignatureAuth()``

constructor as bytes in the PEM format, or configure the key resolver as follows:

.. code-block:: python

  with open('key.pem', 'rb') as fh:

      auth = HTTPSignatureAuth(signature_algorithm=algorithms.RSA_V1_5_SHA256,

                               key=fh.read(),

                               key_id=preshared_key_id)

  requests.get(url, auth=auth)

  class MyKeyResolver:

      def resolve_public_key(self, key_id: str):

          return public_key_pem_bytes[key_id]

      def resolve_private_key(self, key_id: str):

          return private_key_pem_bytes[key_id]

  auth = HTTPSignatureAuth(signature_algorithm=algorithms.RSA_V1_5_SHA256,

                           key_resolver=MyKeyResolver(),

                           key_id="my-key-id")

  requests.get(url, auth=auth)

Digest algorithms

~~~~~~~~~~~~~~~~~

To generate a Content-Digest header using SHA-512 instead of the default SHA-256, subclass ``HTTPSignatureAuth`` as

follows::

  class MySigner(HTTPSignatureAuth):

      signing_content_digest_algorithm = "sha-512"

Authors

-------

* `Andrey Kislyuk `

Links

-----

* `Project home page (GitHub) `_

* `Package documentation `_

* `Package distribution (PyPI) `_

* `Change log `_

* `http-message-signatures `_ - a dependency of this library that

  handles much of the implementation

* `IETF RFC 9421, HTTP Message Signatures `_

Bugs

~~~~

Please report bugs, issues, feature requests, etc. on `GitHub `_.

License

-------

Copyright 2017-2024, Andrey Kislyuk and requests-http-signature contributors. Licensed under the terms of the

`Apache License, Version 2.0 `_. Distribution of attribution information,

LICENSE and NOTICE files with source copies of this package and derivative works is **REQUIRED** as specified by the

Apache License.