Use Authorization header rather than custom headers - Githubissues

haskell-mafia / zodiac

API request-signing utilities

BSD 3-Clause "New" or "Revised" License

2 stars 2 forks source link

Use Authorization header rather than custom headers #18

Closed olorin closed 8 years ago

olorin commented 8 years ago

For HTTP semantics reasons - requests with Authorization can't be cached et cetera. On top of #7 (diff).

Plus some other minor changes:

Need to sign the protocol designator as well as the hash algorithm (otherwise attacks on a weaker protocol version could proliferate to stronger protocol versions).
16 bytes is more than enough for a key ID, but 32 bytes is completely excessive.
Example of string for signing.

@markhibberd @erikd-ambiata @thumphries @charleso

erikd-ambiata commented 8 years ago

:zap: