node package manager


use joyent's http-signature protocol


Use joyent's http signature scheme for http auth.

see http-signature and http-signature spec

Provides a http middleware and a few small helpers. signed-http will sign the hash of the body by default, for maximum security.

signed-http also, checks for replayed and out of date requests, (note: replay is possible after server restarts, if replayed request is recent)

I strongly recommend that all http routes are idempotent.

create a server

var http = require('http')
var sr = require('signed-http')
//get a key pair 
//this will block the process for a few seconds. 
var pair = sr.loadOrGenerateSync ('/tmp/testkeys', {silent: false})
  function (req, res) {
    //this only gets called if the request was successfully signed. 
    //it is still your job to decide whether that user may access that resource! 
    getPublicKey: function (id, cb) {
      //must provide a function to retrive a public key! 
      cb(null, pair.public)
    //demand that the date on the request is within 
    //5 minutes of current time (joyent's recommendation, the default) 
    maxSkew: 300*1000

Then, post a request to it. signed-http will set sensible defaults on the request for maximum security.

var pair = sr.loadOrGenerateSync ('/tmp/testkeys', {silent: false})
  url: 'http://localhost:8080/',
  body: new Buffer('hello there!')
}, function (err, res, body) {
  //received response... 
  console.log(req.statusCode, body)