signed-http

use joyent's http-signature protocol

signed-http

Use joyent's http signature scheme for http auth.

see http-signature and http-signature spec

Provides a http middleware and a few small helpers. signed-http will sign the hash of the body by default, for maximum security.

signed-http also, checks for replayed and out of date requests, (note: replay is possible after server restarts, if replayed request is recent)

I strongly recommend that all http routes are idempotent.

create a server

var http = require('http')
var sr = require('signed-http')
 
//get a key pair 
//this will block the process for a few seconds. 
var pair = sr.loadOrGenerateSync ('/tmp/testkeys', {silent: false})
 
http.createServer(sr(
  function (reqres) {
    //this only gets called if the request was successfully signed. 
    //it is still your job to decide whether that user may access that resource! 
    res.end('ok')
  },
  {
    getPublicKeyfunction (idcb) {
      //must provide a function to retrive a public key! 
      cb(null, pair.public)
    },
    //demand that the date on the request is within 
    //5 minutes of current time (joyent's recommendation, the default) 
    maxSkew: 300*1000
  }
)).listen(8080)

Then, post a request to it. signed-http will set sensible defaults on the request for maximum security.

var pair = sr.loadOrGenerateSync ('/tmp/testkeys', {silent: false})
 
rs.request(pair,{
  url: 'http://localhost:8080/',
  body: new Buffer('hello there!')
}, function (errresbody) {
  //received response... 
  console.log(req.statusCode, body)
})

MIT