Takes too long for large file uploads

[mbatista]

Hello,

I found a limitation when trying to make a large file upload with authentication. It takes waaaay to long for the request to get ready. Besides the problem of having to wait too long, this creates a problem with the nonce which is already too old when the request finally leaves the client. I would recomend for a param to select fields to use in the authentication process instead of always using the whole body. Does it make sense? I would really appreciate this fix.

Thanks!

Marcel

[almet]

This is actually part of the Hawk specification so it's not here that we should have this discussion I believe: Hawk says we should hash everything, including the Body (which actually makes sense to me, since we also want to hash it).

But (and I believe the question is here) if it takes too long we should try to find why it's taking this long. Do you have steps to reproduce this? (how large was your large file?)

[mbatista]

Hello there,

Thanks for the response. I believe you may be right (I am far from an expert), but if I am not mistaken, the body hash is optional (http://tools.ietf.org/html/draft-hammer-oauth-v2-mac-token-05#section-4) I am currently using node-hawk (https://github.com/hueniverse/hawk) for a nodejs project and I am able to authenticate with the server without adding the body to the hash. Either I am doing something really stupid or this is okay. Please let me know if you think I'm opening breeches.

And I was uploading a file with +150mb. It took a long time to leave the client side and get to the server side even locally.

Sincerely,

Marcel

[Natim]

I don't think you are opening breeches doing that because some headers are linked to that file and it will be really hard to forge a new request with a different body.

I would rather think that is can be problematic to hash a so big body.

[mbatista]

IMHO including the body in the hash should be optional, since it does not scale for file uploads. It makes the request more vulnerable, true, however it is the same vulnerability any other request that does not have a body present. What I mean is that the complexity of violating a POST request that does not hash the body is the same as that of violating any other GET request, since they don't have a body.

[Natim]

@mbatista Do you have any news about how you've fixed this problem? Do you feel like contributing the optional body hashing feature?

[kumar303]

Hawk does allow for optional content signing and file uploads is the main use case. To send requests with mohawk, you have to explicitly turn off content signing. The server must also be configured to allow unsigned content. I think it is the default in Node to allow unsigned content but if a server is using mohawk it will need to explicitly allow unsigned content.

When turning content signing off you still get signed headers so the security may be good enough. You also still have TLS to sign all content, of course.