Security Vulnerability in Payload Verification

[chrisdlangton]

The incoming (client supplied) hash of the payload is being trusted by the server and not verified before the signature is calculated.

See:

PyHawk/hawk/hcrypto.py

Line 65 in 142d6cb

options['hash']])

This vulnerability has persisted to hawkauthlib and reported, but is not present in mohawk as it has added robust payload verification

This mozilla/PyHawk repository is no longer maintained so this Security Vulnerability will not be addressed.

Use the mohawk repository if you are looking for a python implementation of Hawk Authentication.
Alternatively hawkauthlib may have merged my PR which addresses this vulnerability by the time you have read this.