Refactor Authorization Handling with HTTP Request-Level HMAC

[JanisErdmanis]

Currently, there is an in-house implementation for authorised request handling. It is used during the registration procedure where prospective member clients authorise their identity pseudonyms with the received token using HMAC. Also, the HMAC authorisation allows external services to authorise the invitation of a new member, which is demonstrated with Recruiters.jl.

The problem with the current approach is that types of messages are hardcoded and thus introduce unnecessary complexity for maintaining the code. One of the bad places is with external server registration API, where each API parameter was included individually into an octet string for hashing. Also, it has obstructed method access in the mapper layer where authorisation is being done.

It has become clear that there is no reason not to embrace the authorisation at the HTTP request level. The mapper layer would maintain the list of tokens and keys, whereas the bouncing logic would be put in the service layer.

The most authoritative specification for HMAC-authorised requests comes from Microsoft for Azure REST API access. It specifies that the HTTP header should have the following form:

Host: {myconfig}.azconfig.io
Date: Fri, 11 May 2018 18:48:36 GMT
x-ms-content-sha256: {SHA256 hash of the request body}
Authorization: HMAC-SHA256 Credential={Access Key ID}&SignedHeaders=x-ms-date;host;x-ms-content-sha256&Signature={Signature}

Where the signature is done on HTTP_METHOD + '\n' + path_and_query + '\n' + signed_headers_values where signed header values are separated by a semicolon.

One of the shortcomings of the specification is that it only specifies how requests shall be signed but not replies. To overcome that, a method = REPLY could be appropriate to ensure the integrity of the reply and prevent it from being used in a replay attack for the server.

The steps for implementing this would be:

• [x] Get some test vectors from the JS code snippet signRequest method;
• [x] Implement a corresponding signRequest method in Julia;
• [x] Create a minimal example with HTTP bouncer in Julia and test that;
• [x] Reimplement client identity pseudonym registration;
• [x] Expose a new member registration API for external use.

[JanisErdmanis]

Published a proof of concept for hmac authorization on a gist. Still need to iron out details for integrating it with HTTP requests.

[JanisErdmanis]

Fixed with https://github.com/PeaceFounder/PeaceFounder.jl/commit/0440fffb9e9a29bd74cbe880251ff78d68ba7947