hsoz- Iron, Hawk, Oz: Web auth protocols

Safe HaskellNone



Single URI Authorization

There are cases in which limited and short-term access to a protected resource is granted to a third party which does not have access to the shared credentials. For example, displaying a protected image on a web page accessed by anyone. Hawk provides limited support for such URIs in the form of a bewit — a URI query parameter appended to the request URI which contains the necessary credentials to authenticate the request.

Because of the significant security risks involved in issuing such access, bewit usage is purposely limited only to GET requests and for a finite period of time. Both the client and server can issue bewit credentials, however, the server should not use the same credentials as the client to maintain clear traceability as to who issued which credentials.

In order to simplify implementation, bewit credentials do not support single-use policy and can be replayed multiple times within the granted access timeframe.

This module collects the URI authorization functions in a single module, to mirror the Hawk.uri module of the javascript implementation.



getBewit Source #


:: Credentials

Credentials used to generate the bewit.

-> NominalDiffTime

Time-to-live (TTL) value.

-> Maybe ExtData

Optional application-specific data.

-> NominalDiffTime

Time offset to sync with server time.

-> ByteString


-> IO (Maybe ByteString)

Base-64 encoded bewit value. fixme: javascript version supports deconstructed parsed uri objects fixme: not much point having two time interval arguments? Maybe just have a single expiry time argument.

Generate a bewit value for a given URI. If the URI can't be parsed, Nothing will be returned.

See Network.Hawk.URI for more information about bewits.