use joyent's http-signature protocol
Use joyent's http signature scheme for http auth.
Provides a http middleware and a few small helpers.
signed-http will sign the hash of the body by default,
for maximum security.
signed-http also, checks for replayed and out of date requests,
(note: replay is possible after server restarts, if replayed request is recent)
I strongly recommend that all http routes are idempotent.
create a server
var http = require'http'var sr = require'signed-http'//get a key pair//this will block the process for a few seconds.var pair = srloadOrGenerateSync '/tmp/testkeys' silent: falsehttpcreateServersr//this only gets called if the request was successfully signed.//it is still your job to decide whether that user may access that resource!resend'ok'//must provide a function to retrive a public key!cbnull pairpublic//demand that the date on the request is within//5 minutes of current time (joyent's recommendation, the default)maxSkew: 300*1000listen8080
Then, post a request to it.
signed-http will set sensible defaults on the
request for maximum security.
var pair = srloadOrGenerateSync '/tmp/testkeys' silent: falsersrequestpairurl: ''body: 'hello there!'//received response...console.logreqstatusCode body