Signing the entire request for authentication

[lordmortis]

My API uses an amazon-like authentication system: Each client has a session ID and a session key created upon authentication. The key is stored in the client and never transmitted again.

Each request then has the following headers: x-request-time (the time the request is sent in ISO-8601 format) x-session-id (the session ID from the authentication above) x-signature (HMAC digest with the session key of the string x-request-time + x-session-id + post-data"(optional - only if present)

In ember data i do this by overriding ajaxOptions (yes, this is private. I haven't found a better place to do it where I can see the stringified data request)

I don't see an obvious way of doing this with Spine? Am I missing something?

[wvteijlingen]

Interesting use case. I don't think there is a way to do this currently. We should add a public interface for some of the networking so it supports things like this. I see two options here:

1. Allow developers to create a custom (sub)class that handles network requests, much like the current subclassable router. Custom logic can then be put in there.
2. Expose some hooks that allow developers to hook into the internal request building and change the request.

[lordmortis]

I'm willing to do this work, but I because of the Swift 2.0 stuff I can't actually get into this just yet. Which one of the above would you prefer? (for my use case, I need the ability to see the entire NSData that's going to be sent and modify the headers accordingly)

[wvteijlingen]

The swift-2.0 branch (https://github.com/wvteijlingen/Spine/pull/36) contains a new NetworkClient protocol that provides much greater flexibility. You can now subclass the built in HTTPClient and override the buildRequest method to add your custom authentication. I hope this provides enough flexibility to suit your needs.

spine = Spine(baseURL: NSURL(string:"http://example.com")!, networkClient: MyHTTPClient())