php - Using HMAC with Web App and API -

-

i have been trying implement system of authorisation api able work web app. have looked @ 3 legged oauth signature verification, not interested in oauth. method testing out can found here. uses hmac authorize sign request similar amazon signature. have cobbled working example here. nothing fancy. proof of concept.

client side uses cryptojs , jquery

     //dummy credentials     var username = 'username';     var password = 'password';      //first create key , store in memory duration of app     var key = cryptojs.sha512(username + "." + password).tostring();     var url = "http://127.0.0.1/whisppa/api";      //setup parameters sent server     var params =      {         "user" : username,         "requested_url" : cryptojs.md5(url).tostring(),//hash url make shorter         "signature_version" : "1.0",         "time" : 0     }      //get parameters , sort them     var props = [];     for(var prop in params)     {         props.push(prop);     }     props.sort();      //concatenate parameters parameter string , set time value     var param_string = "";     for(var prop in props)     {         prop = props[prop];         if(prop == "time")         {             params.time = math.round(new date() / 1000);         }          param_string += prop + "=" + params[prop] + "&";      }     param_string = param_string.substring(0, param_string.length - 1);      //generate hmac of request set in header     var hmac = cryptojs.hmacsha512(param_string, key).tostring();      //make request     $.ajax({         type:"get",         beforesend: function (request)         {             request.setrequestheader("auth-key", hmac);         },         url: url,         data: "params=" + escape(json.stringify(params)),         processdata: false,         success: function(msg) {             $('body').html(msg);         }     });

using slim php framework , php 5.4 server.

                //define time before app starts     define('time', round(microtime(true)));      $headers = getallheaders();      //just make few checks here ensure necessary params set     if(!isset($_get['params']) || !isset($headers['auth-key']))     {         $app->halt(400);     }     //get parameters string     $params = json_decode($_get['params']);      //make more checks important parameters     if(!isset($params->time) || !isset($params->user))     {         $app->halt(400);     }      //get parameters , sort them     $properties = get_object_vars($params);     ksort($properties);      //concatenate parameters parameter string     $param_string = '';     foreach($properties $prop => $value)     {         $param_string .= $prop . '=' . $value . '&';      }     $param_string = substr($param_string, 0, strlen($param_string) - 1);      //in reality, fetch user database     $password = 'password';      //create hash , generate hmac     $key = hash('sha512', $params->user . '.' . $password);     $auth_key = hash_hmac('sha512', $param_string, $key);      //verify request     if($auth_key == $headers['auth-key'])     {         $app->halt(401);     }      //verify time     if(time - $params->time > 60)     {         $app->halt(408);     }       //todo: verify requested url matches current url

obviously, there problems this. can see

  1. how store user data server side. can't store plaintext password, can't store password hashed , storing user's key asking trouble. can't seem around issue.

  2. is possible store key client side while app running in memory such can't gotten at? obviously, using tool firebug or webdev tools come chrome , firefox, can @ it. possible nest in code or in anonymous function such that, unable @ easily. not worried though since own app running.

  3. what appropriate timeout apply request?

  4. are there glaring holes can't see? maybe due inattention blindness.

thanks.

edit

as said, proof, forgot add request method/verb added hash well.

this answer seems hold answer password storage, not clear how use api keys/share secret.

edit 2

another issue see here allowing users enter passwords on other consumers applications. solution use sort of api keys or shared secret, ideas on this?

reading article javascript cryptography considered harmful, ive decided use ssl. api use access keys , nonces.


Comments

Post a Comment

Popular posts from this blog

Unable to remove the www from url on https using .htaccess -

-
i want remove www site url. ie. https://www.domainname.com.au https://domainname.com.au . i have tried various .htacces code nothing work me. here present code remove www http not work https. rewriteengine on rewritebase / rewritecond %{http_host} ^www\.(.*)$ [nc] rewriterule ^/(.*)$ http://%1/$1 [r=301,l] rewritecond %{https} off rewriterule ^(.*)$ https://domainname.com.au/$1 [r=301,l] rewriterule ^code-of-conducts/(.*)/$ code-of-conducts.php?type=$1 rewriterule ^parents/post-a-job/(.*)/edit/$ parents/post-a-job.php?action=edit&id=$1 rewriterule ^parents/post-a-job/(.*)/$ parents/post-a-job.php?job_type=$1 rewriterule ^parents/open-jobs/(.*)/delete/$ parents/open-jobs.php?action=delete&id=$1 rewriterule ^parent-profile/(.*)/$ parent-profile.php?id=$1 rewriterule ^parents/job-details/(.*)$ parents/job-details.php?applied_id=$1 rewriterule ^sitterprofile/(.*)/$ sitterprofile.php?id=$1 rewriterule ^sitter/job-board/state/(.*)/page/(.*)/$ sitter/job-board.ph...
Read more