Safe Haskell | None |
---|---|
Language | Haskell2010 |
Single URI Authorization
There are cases in which limited and short-term access to a protected resource is granted to a third party which does not have access to the shared credentials. For example, displaying a protected image on a web page accessed by anyone. Hawk provides limited support for such URIs in the form of a bewit — a URI query parameter appended to the request URI which contains the necessary credentials to authenticate the request.
Because of the significant security risks involved in issuing such access, bewit usage is purposely limited only to GET requests and for a finite period of time. Both the client and server can issue bewit credentials, however, the server should not use the same credentials as the client to maintain clear traceability as to who issued which credentials.
In order to simplify implementation, bewit credentials do not support single-use policy and can be replayed multiple times within the granted access timeframe.
This module collects the URI authorization functions in a single
module, to mirror the Hawk.uri
module of the javascript
implementation.
- authenticate :: MonadIO m => AuthReqOpts -> CredentialsFunc m t -> Request -> m (AuthResult t)
- middleware :: AuthReqOpts -> CredentialsFunc IO t -> Middleware
- getBewit :: Credentials -> NominalDiffTime -> Maybe ByteString -> NominalDiffTime -> ByteString -> IO (Maybe ByteString)
Documentation
authenticate :: MonadIO m => AuthReqOpts -> CredentialsFunc m t -> Request -> m (AuthResult t) Source #
See authenticateBewit
.
middleware :: AuthReqOpts -> CredentialsFunc IO t -> Middleware Source #
See bewitAuth
.
getBewit :: Credentials -> NominalDiffTime -> Maybe ByteString -> NominalDiffTime -> ByteString -> IO (Maybe ByteString) Source #
Generate a bewit value for a given URI.