search

awestruct / web-editor

A web based editor for awestruct projects
8 stars 6 forks source link

Add security #59

Closed LightGuard closed 11 years ago

LightGuard commented 11 years ago

Looks like everything will need to be secure, based on the people's GitHub authorizations.

LightGuard commented 11 years ago

Relates to #28

wesbos commented 11 years ago

Just from our talks, when we auth:

  1. Server sends client a hashed oauth token via a secure cookie
  2. When the client makes a request, two custom headers are sent:
    1. ISO timestamp yyyy-mm-dd HH:MM:ss Z
    2. sha512(hashed token from cookie + time) — Hashed clientside with jsSHA
LightGuard commented 11 years ago

Here's an example output from Date.toISOString(): "2001-02-02T21:05:06.000Z" Here's an output from the ruby side DateTime.parse("2001-02-02T21:05:06.000Z") : "2001-02-02T21:05:06+00:00"

Looks like if you take that string and do a new Date("2001-02-02T21:05:06+00:00").toISOString() in Javascript it gives you back 2001-02-02T21:05:06.000Z Not exactly the same but it works as an interop. But since we're sending over the string anyway I doubt it matters much.

On Thu, Aug 22, 2013 at 12:26 PM, Wes Bos notifications@github.com wrote:

Just from our talks, when we auth:

  1. Server sends client a hashed oauth token via a secure cookie
  2. When the client makes a request, two custom headers are sent:
    1. ISO timestamp yyyy-mm-dd HH:MM:ss Z
    2. sha512(hashed token from cookie + time) — Hashed clientside with jsSHA https://github.com/Caligatio/jsSHA

— Reply to this email directly or view it on GitHubhttps://github.com/awestruct/web-editor/issues/59#issuecomment-23113928 .

Jason Porter http://en.gravatar.com/lightguardjp

pmuir commented 11 years ago

Is this done?

wesbos commented 11 years ago

Yep