Who are you, private/public key authentication for connect.

Published on Jan 03, 2013

Who-are-you, reads a series of http headers and authorize (or not) the caller to access the API.

<aside class=“resources”>

UPDATE

You should also check Joyent’s node-http-signature that provides HMAC authentication in a more complete and mature module. If you are using Restify you can use the Joyent module right away since it comes already included.
</aside>

Usage

  • Provide the client with a private and public key.
  • Create names (or use the defaults) for the http headers the client will use to make the request.
  • Choice a public value that will be used to generate the hash with the private key.
  • At the moment it uses sha1 to generate the (hash) token.

Example

Given the keys:

  • apiKey: 90ijUhj88uY
  • secretKey: ppKJHnmm09Iu564ghfB=

And using the default custom http headers:

The client should send a request with the following headers:



  x-api-key: 90ijUhj88uY
  x-request-time: '1357169907984'
  x-token: 'a001880c10e2a61231311b1b56cecd98c71a7fe4'

The hash is calculated (in node) using the crypto module.



  var hash = crypto.createHmac('sha1', 'ppKJHnmm09Iu564ghfB=')
      .update('1357169907984')
      .digest('hex');

On the server application you can add the module as usual:



  var whoareyou = require('whoareyou');
  server.use(whoareyou.privatePublicKey(accountStore, null));

If you want to use custom headers use an options argument as this:



  var whoareyou = require('whoareyou');
  var options = {
    "apiKey": "x-key",
    "dateTime": "x-date",
    "token": "x-hash"
  };
  server.use(whoareyou.privatePublicKey(accountStore, options));

The accountStore is expected to have one method get(apiKey, cb) the callback takes two arguments and error and an account object.
The account object is expected to have at least one property secretKey that contains exactly that.

The middleware will add two properties to the request authenticated a boolean indicating if the authentication have been succesful and currentAccount that contains a clone of the account object returned by the accountStore.get method.