Provide an option to .authentic? that REQUIRES HTTP method

[jnardone]

Starting in 1.4 I can force the signing request to include the HTTP method, but there's no way for strict enforcement server-side. Which means the server is still vulnerable to this problem.

I should be able to pass a similar :with_http_method to .authentic? to not allow the old enforcement to be tried.

[kjg]

since strict enforcement server-side is a backwards incompatible change, my plan is to make this change where authentic? ONLY works with the new http_method as well as make sign! always include the http_method, and release this as 2.0

= 1.4 clients will still be able to talk to 2.0 servers as long as they have the :with_http_method => true, but I'd prefer to have it such that the same version client side and server side can't end up in a situation where they won't authenticate due to having different :with_http_method settings.

Does that make sense?

Sorry for the delay in making these changes for 2.0, I hope to get to them within the next few weeks, but I'd also happily accept a PR if someone else gets to it before I do.

[jnardone]

I guess for new dev not being able to reject the prior (insecure) behavior is kind of a :( Not imminently against a deadline yet so will look forward to 2.0.

[kjg]

I just merged #101 into master. Would you like to test it out @jnardone?

[kjg]

v2.0.0 has now been released.