README.md in rack-simple_auth-0.1.0 vs README.md in rack-simple_auth-0.1.1

- old
+ new

@@ -23,24 +23,16 @@ [![Build Status](https://travis-ci.org/Benny1992/rack-simple_auth.png?branch=master)](https://travis-ci.org/Benny1992/rack-simple_auth) [![Coverage Status](https://coveralls.io/repos/Benny1992/rack-simple_auth/badge.png?branch=master)](https://coveralls.io/r/Benny1992/rack-simple_auth?branch=master) [![Gem Version](https://badge.fury.io/rb/rack-simple_auth.png)](http://badge.fury.io/rb/rack-simple_auth) [![Dependency Status](https://gemnasium.com/Benny1992/rack-simple_auth.png)](https://gemnasium.com/Benny1992/rack-simple_auth) - - - ## Usage ### HMAC Authorization HMAC should be used for communication between website backend and api server/controller/whatever.. -~~For usage between Server <-> Client a sniffer could easily extract the signature/public key and -the encrypted message which is for now the same for the same request (see TODO implement timestamp).~~ - -~~With these 2 informations a "secure" backend could be easily seen public...~~ - In version 0.0.5 the timestamp has been added to the msg which will be encrypted, also the possibility to configure the allowed delay a request can have has been added. Uses Authorization HTTP Header, example: ```Authorization: MessageHash:Signature``` @@ -54,11 +46,12 @@ 'GET' => 'path', 'POST' => 'params', 'DELETE' => 'path', 'PUT' => 'path', 'PATCH' => 'path' - 'tolerance' => 2, + 'tolerance' => 1, + 'steps' => 0.1, 'signature' => 'signature', 'secret' => 'secret', 'logpath' => '/path/to/log/file' } @@ -71,10 +64,11 @@ Note: Private Key and Signature should be served by a file which is not checked into git version control. + #### Config Hash Via the config hash you are able to define the 'data' for each request method.<br /> This data + HTTP Methodname is your Message what will be encrypted.<br /> @@ -107,11 +101,19 @@ The tolerance which is configureable in the config hash sets the possible delay a request could have and still will be authorized. Notice: For a set tolerance a Encrypted Message array will be generated and compared with the MessageHash from the AUTH Header +In Version 0.1.0 the stepsize option has been added +You can now specify how many valid hashes are created in a range between eg.: (-1..1) (= tolerance) + +A minimum stepsize of 0.01 is required (0.01 are 10 milliseconds, this is the minimum because of ruby's float disaster and therefore the gem has to use Float#round(2)) + +Let me know if you need a smaller stepsize... + + #### Logging With config['logpath'] you can define a destination where the internal #log method should write to. The Logging will only be triggered when a path is defined (leave config['logpath'] for disable logging) and a request is not authorized! @@ -121,13 +123,10 @@ - HTTP_AUTHORIZATION Header - Config for the specific Request Method (GET => path etc ...) - The Encrypted Message Array which was expected - The Signature which was expected - - - ## TODO ~~Add Timestamp to encryption..~~ ~~For now a sniffer could track a successfull request to the server and extract the HTTP_AUTHORIZATION HEADER for this request.~~ @@ -142,9 +141,10 @@ 1. Fork it ( http://github.com/benny1992/rack-simple_auth/fork ) 2. Create your feature branch (`git checkout -b my-new-feature`) 3. Commit your changes (`git commit -am 'Add some feature'`) 4. Push to the branch (`git push origin my-new-feature`) 5. Create new Pull Request +