HMAC'd urls for authentication


#1

I’d like to write HMAC’d urls for things, instead of using keys to embed things. For instance, today we’re using iframes or csv links that include the API key, plus the ID of the query - there is nothing stopping the user changing things and looking at other stuff.

Proposal:

Add support for hmac auth

  1. check url for hmac_auth and user_id param
  2. if found, look up user by id, get their token
  3. generate a hmac signature of the full url and any parameters
  4. compare with hmac_auth parameter from user
  5. auth them if it matches

Advantages:

  1. stops the user seeing different things that user can see
  2. doesn’t include the api key
  3. industry standard (could use something specific like aws’ implementation, but something simpler would be fine imho)

Disadvantages:

  1. where does the user “get” the HMAC url from?

I’m happy to code this and make a PR, if it seems sane.

Russ


#2

there is nothing stopping the user changing things and looking at other stuff.

There is – unless you’re using a user API key, the API key is limited to the specific query (each query has its own API key).

As a side note, there is already support for HMAC. It’s a configuration setting whether to use plain API keys or to use them for signature, but I didn’t use it in a while, so not sure what state it is in.


#3

Cool - then perhaps this isn’t needed! I’ll look in to the state of HMAC - if it’s not in a good state I’ll post back and suggest some fixes.

Russ