Update MAC to draft 05

Author: singpolyma

lib/oauth2/mac_token.rb

@@ -29,6 +29,8 @@ def self.from_access_token(token, secret, options = {})
     # @option opts [FixNum, String] :algorithm (hmac-sha-256) the algorithm to use for the HMAC digest (one of 'hmac-sha-256', 'hmac-sha-1')
     def initialize(client, token, secret, opts = {})
       @secret = secret
+      @seq_nr = SecureRandom.random_number(2 ** 64 - 1)
+      @kid = opts.delete(:kid) || strict_encode64(Digest::SHA1.digest(token))
       self.algorithm = opts.delete(:algorithm) || 'hmac-sha-256'
 
       super(client, token, opts)
@@ -59,33 +61,30 @@ def headers
     # @param [Symbol] verb the HTTP request method
     # @param [String] url the HTTP URL path of the request
     def header(verb, url)
-      timestamp = Time.now.utc.to_i
-      nonce = Digest::MD5.hexdigest([timestamp, SecureRandom.hex].join(':'))
+      timestamp = (Time.now.to_f * 1000).floor
+      @seq_nr = (@seq_nr + 1) % (2 ** 64 - 1)
 
-      uri = URI.parse(url)
+      uri = URI(url)
 
       fail(ArgumentError, "could not parse \"#{url}\" into URI") unless uri.is_a?(URI::HTTP)
 
-      mac = signature(timestamp, nonce, verb, uri)
+      mac = signature(timestamp, @seq_nr, verb, uri)
 
-      "MAC id=\"#{token}\", ts=\"#{timestamp}\", nonce=\"#{nonce}\", mac=\"#{mac}\""
+      "MAC kid=\"#{@kid}\", ts=\"#{timestamp}\", seq-nr=\"#{@seq_nr}\", mac=\"#{mac}\""
     end
 
     # Generate the Base64-encoded HMAC digest signature
     #
-    # @param [Fixnum] timestamp the timestamp of the request in seconds since epoch
-    # @param [String] nonce the MAC header nonce
+    # @param [Fixnum] timestamp the timestamp of the request in milliseconds since epoch
+    # @param [Fixnum] seq_nr the MAC header sequence number
     # @param [Symbol] verb the HTTP request method
     # @param [String] url the HTTP URL path of the request
-    def signature(timestamp, nonce, verb, uri)
+    def signature(timestamp, seq_nr, verb, uri)
       signature = [
+        "#{verb.to_s.upcase} #{uri.request_uri} HTTP/1.1",
         timestamp,
-        nonce,
-        verb.to_s.upcase,
-        uri.request_uri,
-        uri.host,
-        uri.port,
-        '', nil
+        seq_nr,
+        ''
       ].join("\n")
 
       strict_encode64(OpenSSL::HMAC.digest(@algorithm, secret, signature))

spec/oauth2/mac_token_spec.rb

@@ -1,6 +1,7 @@
 require 'helper'
 
 describe MACToken do
+  let(:kid) { 'this-token' }
   let(:token) { 'monkey' }
   let(:client) do
     Client.new('abc', 'def', :site => 'https://api.example.com') do |builder|
@@ -13,7 +14,7 @@
     end
   end
 
-  subject { MACToken.new(client, token, 'abc123') }
+  subject { MACToken.new(client, token, 'abc123', kid: kid) }
 
   describe '#initialize' do
     it 'assigns client and token' do
@@ -46,8 +47,8 @@
 
   describe '#request' do
     VERBS.each do |verb|
-      it "sends the token in the Authorization header for a #{verb.to_s.upcase} request" do
-        expect(subject.post('/token/header').body).to include("MAC id=\"#{token}\"")
+      it "sends the kid in the Authorization header for a #{verb.to_s.upcase} request" do
+        expect(subject.post('/token/header').body).to include("MAC kid=\"#{kid}\"")
       end
     end
   end
@@ -62,22 +63,22 @@
 
     it 'generates the proper format' do
       header = subject.header('get', 'https://www.example.com/hello?a=1')
-      expect(header).to match(/MAC id="#{token}", ts="[0-9]+", nonce="[^"]+", mac="[^"]+"/)
+      expect(header).to match(/MAC kid="#{kid}", ts="[0-9]+", seq-nr="[0-9]+", mac="[^"]+"/)
     end
 
     it 'passes ArgumentError with an invalid url' do
       expect { subject.header('get', 'this-is-not-valid') }.to raise_error(ArgumentError)
     end
 
     it 'passes URI::InvalidURIError through' do
-      expect { subject.header('get', nil) }.to raise_error(URI::InvalidURIError)
+      expect { subject.header('get', '\\') }.to raise_error(URI::InvalidURIError)
     end
   end
 
   describe '#signature' do
     it 'generates properly' do
-      signature = subject.signature(0, 'random-string', 'get', URI('https://www.google.com'))
-      expect(signature).to eq('rMDjVA3VJj3v1OmxM29QQljKia6msl5rjN83x3bZmi8=')
+      signature = subject.signature(0, 'random-string', 'get', URI('https://www.google.com/hai?this=1'))
+      expect(signature).to eq('13wqHvYkM7uDKpT9Yc8HnDLxa+4yjv2G1qV1kkqpbdc=')
     end
   end