http-signature authorization is impossible via ajax request #4
Comments
|
Hi, Sorry for the lag, but carrying over from the restify board, I will make an amendment to the spec and client library next week that allows an |
|
No problem at all. My thinking was also that if x-date was set, Date would be ignored (exactly as the amazon rest authentication does with the x-amz-date header. Seems like we're on the same page. You're updating both the client library and the parser? I could throw something together and make a pull request too if you'd like. |
|
Yes, I was going to update the parser and construction libraries. I was On Fri, Sep 7, 2012 at 2:15 PM, geebee notifications@github.com wrote:
|
|
Issued a pull request with my solution (#6). The idea was to allow This was accomplished by checking for the existence of the In this way, no additional changes are required to the parsing library, and the requirements of enforcing the same clock skew as normal, and having If you like the PR I sent, once merged, I'll close the issue. If you'd prefer another solution, just let me know. |
|
I haven't looked at the code yet, but I saw your comment, and yes, I agree What I think we probably want is the client to always send what it needs to Thoughts? On Sat, Sep 8, 2012 at 8:48 AM, geebee notifications@github.com wrote:
|
|
So, currently the PR just does an if in the few places where it used to specifically say date that says if x-date is present, ignore date (as opposed to 'overloading' date with the value of x-date). This makes the client reasonable again in that:
I really like the idea of expanding it to be a logical OR, but that is certainly a larger scope than this original bug. I think based on the fact that this whole standard is designed to be flexible, allowing slightly more complicated logical 'required header' definitions would be useful. I'd be happy to take a stab at something, although if you do get a chance to take a look at this interim solution until one of us has time to make the larger change, I think it's probably still worth it. |
|
Yeah that sounds right. I looked at the code, simple enough. I'll take it and put the more sophisticated thing on the backburner for now. |
|
Apologies for the delay, thanks for accepting, figured simpler was better for now. Thanks a lot for your time! |
Hello There,
I am using restify to implement an API layer. The client portion of the code that will consume this API is written in javascript as well (mostly), although not using node.
I am attempting to work through an implementation of Joyent's "HTTP Signature" Authorization header (and if this issue belongs there, my apologies, and please just let me know) and am unable to have restify succeed in parsing the authorization header without the Date header being present as well. I know from reading the docs, that the Date header is pretty much the only thing you actually need, so here comes my problem...
You cannot send a date header in an XMLHttpRequest from the client side (ie: in the browser)... Chrome says "Refused to set unsafe header 'Date'", and any attempts at working around this (for example by still including a UTC date format string that is sha-256 hashed and base64 encoded results in the following exception being returned as a response by restify:
{"code":"InvalidHeader","message":"Authorization header invalid: date was not in the request"}
My further research (http://www.w3.org/TR/XMLHttpRequest2/#the-setrequestheader-method) indicates that you cannot in fact expect to be able to set the Date header via an XMLHttpRequest.
With that said, my request would be to remove the limitation on requiring a date header, or provide some other sort of work around.
Thanks very much for your time
** Migrated from: restify/node-restify#204 **
The text was updated successfully, but these errors were encountered: