Check for signature for responses with empty body

acquia / http-hmac-spec

An HMAC message format for securing RESTful web APIs.

81 stars 14 forks source link

Check for signature for responses with empty body #20

Closed itafroma closed 8 years ago

itafroma commented 8 years ago

Porting from acquia/http-hmac-go#16, the spec seems to indicate that X-Server-Authorization-HMAC-SHA256 should not be blank even if the response body is blank:

The response signature base string is a concatenated string generated from the following parts:

Nonce: The nonce that was sent in the Authorization header.

Timestamp: The timestamp that was sent in the X-Authorization-Timestamp header

Body: The response body (or empty string).

kevinhankens commented 8 years ago

cpliakas commented 8 years ago

Thoughts on this @nickveenhof and @baliame?

baliame commented 8 years ago

Yeah, I always intended to have this. Responses supposedly have a body for all requests but HEAD, even if it is empty.

nickveenhof commented 8 years ago

Merging after a very long baking period!