Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HMAC Plugin #549

Merged
merged 1 commit into from
Sep 18, 2015
Merged

HMAC Plugin #549

merged 1 commit into from
Sep 18, 2015

Conversation

shashiranjan84
Copy link
Contributor

HMAC Plugin

HMAC Plugin
e1018b7 
clock skew check
harlow
harlow reviewed Sep 18, 2015
View reviewed changes
kong/plugins/hmac-auth/access.lua
return username, signature, algorithm
end

local function validate_signature(request, secret, signature, algorithm, defaultClockSkew)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

doesn't look like we're using the algorithm variable in this function. should it be used in the -- validate signature section or can it be removed as an argument?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@harlow for now only sha1 would be supported and would be mentioned in the manual, here argument is optional field and any value passed by user will be discarded.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense 👍

shashiranjan84 added a commit that referenced this pull request Sep 18, 2015
@shashiranjan84
Merge pull request #549 from shashiranjan84/master
4f8f701 
HMAC Plugin
@shashiranjan84 shashiranjan84 merged commit 4f8f701 into Kong:master Sep 18, 2015
thibaultcha
thibaultcha reviewed Sep 21, 2015
View reviewed changes
kong/plugins/hmac-auth/access.lua

function _M.execute(conf)
-- If both headers are missing, return 401
if not (ngx.req.get_headers()[AUTHORIZATION] or ngx.req.get_headers()[PROXY_AUTHORIZATION]) then
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are calling twice ngx.req.get_headers() (and once in validate_signature and another time in retrieve_hmac_fields). This is an expansive operation and the result should be cached.

Also you have local ngx_set_header = ngx.req.set_header but not the equivalent for get_headers().

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sorry missed it, updating it.

@bungle bungle mentioned this pull request Apr 20, 2023
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@shashiranjan84 @ejoncas @harlow @thibaultcha