Custom digest algorithms don't seem to change anything

[andyjeffries]

Good morning,

I've had an issue in Flexirest to support your new :digest option to customise the digest algorithm. Unfortunately, it doesn't seem to change anything. I have code that looks like this:

      puts api_auth[:api_auth_options].inspect
      puts request.inspect
      ApiAuth.sign!(
        request,
        api_auth[:api_auth_access_id],
        api_auth[:api_auth_secret_key],
        api_auth[:api_auth_options])
      puts request.inspect

The output of my test is this:

{:digest=>"sha1"}
#<struct Faraday::Request method=:get, path="/foo", params={}, headers={"Date"=>"Sat, 14 Mar 2015 15:13:24 GMT", "User-Agent"=>"Faraday v0.9.2"}, body=nil, options=#<Faraday::RequestOptions (empty)>>
#<struct Faraday::Request method=:get, path="/foo", params={}, headers={"Date"=>"Sat, 14 Mar 2015 15:13:24 GMT", "User-Agent"=>"Faraday v0.9.2", "Authorization"=>"APIAuth id123:PMWBThkB8vKbvUccHvoqu9G3eVk="}, body=nil, options=#<Faraday::RequestOptions (empty)>>

As you can see the Authorization header becomes APIAuth id123:PMWBThkB8vKbvUccHvoqu9G3eVk= rather than something beginning with APIAuth-HMAC-SHA1.

I tried it with sha256 as well, the same result. I'm using v1.5.0 of ApiAuth.

[kjg]

The digest option is not available in v1.5.0, it is available currently in the master branch, and will be available in v2.0.0 which has not been released yet. Do you mind testing against master and if all is good I'll release 2.0.0

[andyjeffries]

Doesn't seem to work for me. Switched to master and bundling says:

Using api-auth 2.0.0.pre (was 1.5.0) from git://github.com/mgomes/api_auth.git (at master@e197438)

The RSpec test still seems to not have it generating the correct header:

{:digest=>"sha1"}
#<struct Faraday::Request method=:get, path="/foo", params={}, headers={"Date"=>"Sat, 14 Mar 2015 15:13:24 GMT", "User-Agent"=>"Faraday v0.9.2"}, body=nil, options=#<Faraday::RequestOptions (empty)>>
#<struct Faraday::Request method=:get, path="/foo", params={}, headers={"Date"=>"Sat, 14 Mar 2015 15:13:24 GMT", "User-Agent"=>"Faraday v0.9.2", "Authorization"=>"APIAuth id123:TQiQIW6vVaDC5jvh99uTNkxIg6Q="}, body=nil, options=#<Faraday::RequestOptions (empty)>>

By the way, it also seems to have broken previous hashes, did the default hashing algorithm change in 2.0.0?

  1) Flexirest::Connection with api auth signing requests should have an Authorization header
     Failure/Error: expect(result.env.request_headers['Authorization']).to eq("APIAuth id123:PMWBThkB8vKbvUccHvoqu9G3eVk=")

       expected: "APIAuth id123:PMWBThkB8vKbvUccHvoqu9G3eVk="
            got: "APIAuth id123:TQiQIW6vVaDC5jvh99uTNkxIg6Q="

       (compared using ==)

[kjg]

v2.0.0 now includes the http method in the canonical string by default. v1.4.0 introduced a flag to provide an upgrade strategy from v1.3.0 and earlier to v2.0.0. See https://github.com/mgomes/api_auth/blob/master/CHANGELOG.md#14-2015-12-16 for more info on that change.

[andyjeffries]

OK, so that explains the changed hashes, but it's still not returning APIAuth-HMAC-SHA1? Thanks.

[kjg]

You can view the full discussion around the :digest change here: #98

The summary is that SHA1 is the default, so to allow for backwards compatibility, specifying sha1 doesn't change the format of the Auth string.

However maybe we should change it such that sha1 is the default when no digest is specified, and uses the previous style Auth string
And then if you do specify a :digest even it it is sha1, then we have the newer style auth String.

Does that make sense? What do you think about that strategy?

[andyjeffries]

No, that makes sense - I just wasn't aware of it.

Now I've changed it to be sha256 it works fine for me. I'm happy merging my changes in to Flexirest to support Api-Auth 2.0 once you release your 2.0.0 version. Thanks.

[andyjeffries]

Can you let me know when you release 2.0.0 (on this issue or by email) and I'll release the version of FR that supports it.

[kjg]

v2.0.0 has just been released!

[andyjeffries]

Thank you. I actually released mine the other day because I put some code in to detect which functionality is available (so it would work with people using the old or new versions). Thanks though.