[hmac-auth] handle X-Date header for browsers

[radioverve]

We are trying to write a Single Page browser app which authenticates with Kong using the HMAC signature. The problem is xmlHttpRequest on the browser does not allow setDate header (security issue). To get around this, it probably makes sense for the plugin to handle the X-Date header instead which can be set across different platforms.

[shashiranjan84]

@radioverve date header is only required for skew purpose, you can use other headers to create hmac signature. So assuming browser itself sets the date header, it should not be a problem

[neeharv]

@shashiranjan84 just tested this out on Chrome and FF, the browser does not add a date header. This breaks HMAC auth, as expected. Any thoughts as to how we can get around this?

[shashiranjan84]

@radioverve @neeharv yes chrome terminates XHR if date is included. I'll update the plugin to check x-kong-date or date header for date value. wait for ETA

Update: working on patch, expect version 0.5.2 soon

[thibaultcha]

Maybe X-Date as suggested by @neeharv is better.

[shashiranjan84]

@thibaultcha sure, that sounds more transparent.

[thibaultcha]

Merged, a patch version of Kong is incoming.