npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

express-hawkauth

v0.3.0

Published

Hawk authentication for the express framework

Downloads

2

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

ametaireauametaireaunatimnatim

Keywords

Readme

Hawk authentication for ExpressJS

[NPM version] (https://www.npmjs.org/package/express-hawkauth) [Build Status] (https://travis-ci.org/mozilla-services/express-hawkauth)

This module provides an Hawk authentication middleware for express applications. More specifically, for applications which uses the connect middleware facility.

Hawk itself does not provide any mechanism for obtaining or transmitting the set of shared credentials required, but this project proposes a scheme we use accross mozilla-services projects.

Installation

npm install express-hawkauth

How do I plug that in my application?

In order to plug express-hawk in your application, you'll need to use it as a middleware.

var express = require("express");
var hawk = require("express-hawkauth");
app = express();

var hawkMiddleware = hawk.getMiddleware({
  hawkOptions: {},
  getSession: function(tokenId, cb) {
    // A function which pass to the cb the key and algorithm for the
    // given token id. First argument of the callback is a potential
    // error.
    cb(null, {
      key: "key",
      algorithm: "sha256"
    });
  },
  createSession: function(id, key, cb) {
    // A function which stores a session for the given id and key.
    // Argument returned is a potential error.
    cb(null);
  },
  setUser: function(req, res, credentials, cb) {

    // A function that uses req and res and the credentials so
    // that it can tweak it. For instance, you can store the tokenId
    // as the user.

    req.user = credentials.id;
  }
});

app.get('/hawk-enabled-endpoint', hawkMiddleware);

You can also pass a sendError parameter which is a function that's being passed the errors generated by the library. Takes (res, status, payload) as parameters.

If you want to only check a valid hawk session exists (without creating a new one), just create a middleware which doesn't have any createSession parameter defined.

What's returned to the clients

In case an hawk session is created (e.g. when createSession had been defined and no credentials were provided in the request, a Hawk-Session-Token header will be set to the response, containing the session token to be derived.

How are the shared credentials shared?

Okay, on to the actual details.

The server gives you a session token, that you'll need to derive to get the hawk credentials:

Do an HKDF derivation on the given session token. You’ll need to use the following parameters::

key_material = HKDF(hawk_session, “”, ‘identity.mozilla.com/picl/v1/sessionToken’, 32*2);

The key material you’ll get out of the HKDF need to be separated into two parts, the first 32 hex characters are the hawk id, and the next 32 ones are the hawk key:

credentials = {
    'id': keyMaterial[0:32]
    'key': keyMaterial[32:64]
    'algorithm': 'sha256'
}