56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
# File 'lib/hawk/authorization_header.rb', line 56
def authenticate(, options)
options = options.dup
parts = parse()
options.delete(:payload) unless parts[:hash]
now = Time.now.to_i
options[:timestamp_skew] ||= DEFAULT_TIMESTAMP_SKEW
if options[:server_response]
credentials = options[:credentials]
parts.merge!(
:ts => options[:ts],
:nonce => options[:nonce]
)
else
unless options[:credentials_lookup].respond_to?(:call) && (credentials = options[:credentials_lookup].call(parts[:id]))
return AuthenticationFailure.new(:id, "Unidentified id")
end
if (now - parts[:ts].to_i > options[:timestamp_skew]) || (parts[:ts].to_i - now > options[:timestamp_skew])
return AuthenticationFailure.new(:ts, "Stale ts", :credentials => credentials)
end
unless parts[:nonce]
return AuthenticationFailure.new(:nonce, "Missing nonce")
end
if options[:nonce_lookup].respond_to?(:call) && options[:nonce_lookup].call(parts[:nonce])
return AuthenticationFailure.new(:nonce, "Invalid nonce")
end
end
mac_opts = options.merge(
:credentials => credentials,
:ts => parts[:ts],
:nonce => parts[:nonce],
:ext => parts[:ext],
:app => options[:app] || parts[:app],
:dlg => options[:dlg] || parts[:dlg]
)
expected_hash = parts[:hash] ? Crypto.hash(options.merge(:credentials => credentials)) : nil
if expected_hash && expected_hash.to_s != parts[:hash]
return AuthenticationFailure.new(:hash, "Invalid hash. #{expected_hash.normalized_string}")
end
expected_mac = Crypto.mac(mac_opts)
unless expected_mac.eql?(parts[:mac])
return AuthenticationFailure.new(:mac, "Invalid mac. #{expected_mac.normalized_string}")
end
credentials
end
|