Copyright	(c) 2015 Christopher Reichert
License	BSD3
Maintainer	Christopher Reichert <creichert07@gmail.com>
Stability	experimental
Portability	POSIX
Safe Haskell	None
Language	Haskell2010

Network.Wai.Middleware.HmacAuth

Contents

Middleware functionality
Crypto
- Supported Hashing Algorithms
Hmac and Middleware Configuration

Description

Synopsis

Middleware functionality

hmacAuth :: forall alg. HashAlgorithm alg => LookupSecret IO -> HmacAuthSettings alg -> Middleware Source

Perform Hmac authentication.

Uses a lookup function to retrieve the secret used to sign the incoming request.

let lookupSecret key = case key of
                         "client" -> Just (Secret "secretkey")
                         _        -> Nothing
     authware = hmacAuth lookupSecret defaultHmacAuth
Warp.run (read port) $ authware $ app

Crypto

signRequest :: forall m alg. (MonadIO m, HashAlgorithm alg) => HmacAuthSettings alg -> Secret -> Request -> m Request Source

Sign a request using HMAC

signature = base64( hmac-sha1 (key, utf8( stringtosign ) ) )

TODO hash contents throught MonadState using a type to make sure all the components are there or err.

Supported Hashing Algorithms

class HashAlgorithm a

Class representing hashing algorithms.

The hash algorithm is built over 3 primitives:

init : create a new hashing context
updates : update the hashing context with some strict bytestrings and return the new context
finalize : finalize the context into a digest

Minimal complete definition

hashBlockSize, hashInit, hashUpdates, hashFinalize, digestFromByteString

data SHA512 :: *

SHA512 cryptographic hash

Instances

Show SHA512
HashAlgorithm SHA512

data SHA256 :: *

SHA256 cryptographic hash

Instances

Show SHA256
HashAlgorithm SHA256

data SHA1 :: *

SHA1 cryptographic hash

Instances

Show SHA1
HashAlgorithm SHA1

data MD5 :: *

MD5 cryptographic hash

Instances

Show MD5
HashAlgorithm MD5

Hmac and Middleware Configuration

data HmacAuthSettings alg Source

Various settings for HMAC authentication

Constructors

HmacAuthSettings

Fields

authKeyHeader :: !(CI ByteString)

Name of the header which carries the auth key

authTimestampHeader :: !(CI ByteString)

Name of the HTTP Header which carries the timestamp

authIsProtected :: !(Request -> IO Bool)

Determines whether the request needs authentication

authOnNoAuth :: !(HmacAuthException -> Application)

Function to run when authentication is unsuccessful

authAlgorithm :: alg

HMAC signing algorithm

MD5, SHA1, SHA256, and SHA512 supported

authRealm :: !ByteString

Realm provider.

authSpec :: !HmacStrategy

Use Header or Query spec.

Query spec is useful for sharing encoded URLs

authDebug :: !Bool

Print debug output

data HmacStrategy Source

Hmac requests can be accepted through GET params or Http headers.

Constructors

Header

Look for auth info in HTTP Headers

Instances

Show HmacStrategy

defaultHmacAuthSettings :: HmacAuthSettings SHA512 Source

Default HMAC authentication settings

Uses SHA512 as default signing algorithm

authOnNoAuth responds with: WWW-Authenticate: Realm="" HMAC-MD5;HMAC-SHA1;HMAC-SHA256;HMAC-SHA512" [...] Provide valid credentials

newtype Secret Source

HMAC Secret Key

Constructors

Secret ByteString

Instances

Eq Secret
Show Secret

newtype Key Source

HMAC Public Key

Constructors

Key ByteString

Instances

Eq Key
Show Key

HashAlgorithm MD2
HashAlgorithm MD4
HashAlgorithm MD5
HashAlgorithm SHA1
HashAlgorithm SHA224
HashAlgorithm SHA256
HashAlgorithm SHA384
HashAlgorithm SHA512
HashAlgorithm RIPEMD160
HashAlgorithm Whirlpool
HashAlgorithm Tiger
HashAlgorithm SHA3_224
HashAlgorithm SHA3_256
HashAlgorithm SHA3_384
HashAlgorithm SHA3_512
HashAlgorithm Skein256_224
HashAlgorithm Skein256_256
HashAlgorithm Skein512_224
HashAlgorithm Skein512_256
HashAlgorithm Skein512_384
HashAlgorithm Skein512_512