vheon
commented
8 years ago I've added a little of doc too :)
@Valloric, @micbou, @puremourning, @oblitum
Closed vheon closed 8 years ago
vheon
commented
8 years ago I've added a little of doc too :)
@Valloric, @micbou, @puremourning, @oblitum
Finally I got the HMAC Auth in a shape that I like :)
One change has been made to the way the json response is created. Now the JSON responses are made "by hand" instead of Bottle figure out on its own. That is partially because this way we are sure that the dictionary returned is strigify in a consistent way; this is important since we're calculating the HMAC out of it.
The HMAC secret is passed to the application though a json file and as soon as the application read the value the file will be deleted.
I decided to test the HMAC feature from the outside (that is why I called them end_to_end tests), this way I'm also testing that the server starts properly. I don't know if I'm going to regret this decision, will see. Doing those tests I've experiment with a different way of sign the request with HMAC using an Auth plugin for
requests; @Valloric if you like the idea I will gladly send a PR forYouCompleteMe.One thing that I'm not sure if it is secure is storing the HMAC secret as a config value for the Bottle app. If you guys have comments about that just shoot.
This PR still need to update the README and I will do it soon.
If you have time I would love some comments :) @Valloric, @puremourning, @micbou, @oblitum