Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[hmac-auth] handle X-Date header for browsers #641

Closed
radioverve opened this issue Oct 19, 2015 · 6 comments
Closed

[hmac-auth] handle X-Date header for browsers #641

radioverve opened this issue Oct 19, 2015 · 6 comments
Labels
task/feature Requests for new features in Kong

Comments

@radioverve
Copy link

We are trying to write a Single Page browser app which authenticates with Kong using the HMAC signature. The problem is xmlHttpRequest on the browser does not allow setDate header (security issue). To get around this, it probably makes sense for the plugin to handle the X-Date header instead which can be set across different platforms.

@thibaultcha thibaultcha changed the title Kong HMAC Plugin [hmac-auth] handle X-Date header for browsers Oct 19, 2015
@shashiranjan84
Copy link
Contributor

@radioverve date header is only required for skew purpose, you can use other headers to create hmac signature. So assuming browser itself sets the date header, it should not be a problem

@neeharv
Copy link

neeharv commented Oct 19, 2015

@shashiranjan84 just tested this out on Chrome and FF, the browser does not add a date header. This breaks HMAC auth, as expected. Any thoughts as to how we can get around this?

@shashiranjan84
Copy link
Contributor

@radioverve @neeharv yes chrome terminates XHR if date is included. I'll update the plugin to check x-kong-date or date header for date value. wait for ETA

Update: working on patch, expect version 0.5.2 soon

@thibaultcha
Copy link
Member

Maybe X-Date as suggested by @neeharv is better.

@shashiranjan84
Copy link
Contributor

@thibaultcha sure, that sounds more transparent.

@thibaultcha
Copy link
Member

Merged, a patch version of Kong is incoming.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
task/feature Requests for new features in Kong
Projects
None yet
Development

No branches or pull requests

4 participants