1. 16 Feb, 2021 1 commit
  2. 11 Jan, 2021 1 commit
  3. 24 Nov, 2020 1 commit
  4. 10 Nov, 2020 1 commit
  5. 07 Oct, 2020 2 commits
  6. 24 Sep, 2020 3 commits
  7. 23 Sep, 2020 3 commits
  8. 21 Sep, 2020 1 commit
  9. 17 Sep, 2020 1 commit
  10. 07 Aug, 2020 10 commits
  11. 15 Nov, 2019 1 commit
  12. 27 Sep, 2019 2 commits
  13. 25 Jun, 2019 1 commit
    • Laurent Wouters's avatar
      Support alternative to Date header · f90a9c36135c
      Laurent Wouters authored
      The current protocol for signed request requires the use of the Date HTTP
      header. Although this works fine for clients that have full control over the
      HTTP headers they send, this is not working in the context of web browser where
      the Date HTTP headers are forbidden to be programmatically set (and therefore
      used in any meaningful way)
      https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name
      
      In general, this change enables the specification of a prioritized list of
      alternative for headers. In particular for the Date header, this change
      specifies a the list ['X-Cubicweb-Date', 'Date'] as an alternative to the Date
      header; meaning that when looking for the Date header, one should first look
      at the X-Cubicweb-Date header, and then if not present at the Date header. Doing
      so, it should be possible to emit signed requests from the context of a browser
      by specifying a X-Cubicweb-Date header, overriding the Date header that the
      browser may or may not set by itself.
      f90a9c36135c
  14. 06 Mar, 2019 1 commit
  15. 05 Mar, 2019 2 commits
  16. 21 Dec, 2018 2 commits
  17. 18 Dec, 2018 2 commits
  18. 14 Dec, 2018 2 commits
    • Philippe Pepiot's avatar
      Allow requests in the past during 300 seconds · 45e266e4c652
      Philippe Pepiot authored
      We already allow requests in the future for 300 seconds, why not in the past too ?
      This avoid a AuthenticationError() when client live in the past for a few seconds.
      
      Requests can now be replayed during 5 minutes in case of MITM but this is
      already the case when the client live in the future or server in the past.
      
      In this particular case I think it's ok to trade a bit of security against a
      lot of reliability.
      45e266e4c652
    • Philippe Pepiot's avatar
      Log authentication failures with logging.ERROR · 9d4d7b1beff0
      Philippe Pepiot authored
      Date issues can occur, we want to log them.
      We usually send logs >= ERROR to sentry, so using logging.error() here allow to
      send such errors to sentry.
      9d4d7b1beff0
  19. 11 Jun, 2018 2 commits
  20. 01 Jun, 2018 1 commit
    • Denis Laxalde's avatar
      [py3] Encode strings for hmac.new() · 0d69b46316bb
      Denis Laxalde authored
      This is symmetrical to changeset 84943f333ac0 about tests.
      
      On the one hand, we encode the result of tools.build_string_to_sign()
      which will be passed down to tools.authenticate_user() (where hmac.new
      call happens); we document that expected value in authenticate_user for
      "signed_content" should be bytes. On the other hand, we encode the
      "secret_key" value which is retrieved from database (as a unicode
      string) before passing it to hmac.new as well.
      
      According to its test suite, cubicweb-signedrequest is now
      Python3-compatible.
      0d69b46316bb