JarCasting
JarCasting JarCasting

panda-hmac-play_2-5

Wraps the panda play library to allow either panda cookie or HMAC shared secret auth

License

License
GroupId

GroupId

com.gu
ArtifactId

ArtifactId

panda-hmac-play_2-5_2.11
Last Version

Last Version

1.3.1
Release Date

Release Date
Type

Type

jar
Description

Description

panda-hmac-play_2-5
Wraps the panda play library to allow either panda cookie or HMAC shared secret auth
Project URL

Project URL

https://github.com/guardian/panda-hmac
Project Organization

Project Organization

com.gu
Source Code Management

Source Code Management

https://github.com/guardian/panda-hmac

Download panda-hmac-play_2-5_2.11

Filename Size
panda-hmac-play_2-5_2.11-1.3.1.pom
panda-hmac-play_2-5_2.11-1.3.1.jar 11 KB
panda-hmac-play_2-5_2.11-1.3.1-sources.jar 1 KB
panda-hmac-play_2-5_2.11-1.3.1-javadoc.jar 358 KB
Browse

How to add to project

<!-- https://jarcasting.com/artifacts/com.gu/panda-hmac-play_2-5_2.11/ -->
<dependency>
    <groupId>com.gu</groupId>
    <artifactId>panda-hmac-play_2-5_2.11</artifactId>
    <version>1.3.1</version>
</dependency>
// https://jarcasting.com/artifacts/com.gu/panda-hmac-play_2-5_2.11/
implementation 'com.gu:panda-hmac-play_2-5_2.11:1.3.1'
// https://jarcasting.com/artifacts/com.gu/panda-hmac-play_2-5_2.11/
implementation ("com.gu:panda-hmac-play_2-5_2.11:1.3.1")
'com.gu:panda-hmac-play_2-5_2.11:jar:1.3.1'
<dependency org="com.gu" name="panda-hmac-play_2-5_2.11" rev="1.3.1">
  <artifact name="panda-hmac-play_2-5_2.11" type="jar" />
</dependency>
@Grapes(
@Grab(group='com.gu', module='panda-hmac-play_2-5_2.11', version='1.3.1')
)
libraryDependencies += "com.gu" % "panda-hmac-play_2-5_2.11" % "1.3.1"
[com.gu/panda-hmac-play_2-5_2.11 "1.3.1"]

Dependencies

compile (4)

Group / Artifact Type Version
com.typesafe.play : play_2.11 jar 2.4.0
com.typesafe.play : play-ws_2.11 jar 2.4.0
com.gu : hmac-headers_2.11 jar 1.1.2
com.gu : pan-domain-auth-play_2-5_2.11 jar 0.5.1

Project Modules

There are no modules declared in this project.

Play HMAC

Some useful AuthActions for working with machine/user auth based of HMAC for the robots and cookies for the monkeys.

Quick Rundown

We use HMAC-SHA-256

How to use

Assuming that you are using pan-domain-auth-play and have already set up pan-domain-auth (see the instructions on those repos for details on how to do this), then it should be as simple as:

build.sbt

libraryDependencies += "com.gu" %% "panda-hmac-play_2.6" % "1.3.1"

controller

import com.gu.pandahmac.HMACAuthActions
.
.
.
@Singleton
class MyController @Inject()(override val config:Configuration,
                                  override val controllerComponents:ControllerComponents,
                                  override val wsClient:WSClient,
                                  override val refresher:InjectableRefresher)
  extends AbstractController(controllerComponents) with PanDomainAuthActions with HMACAuthActions {
  
  override def secret = "mysecret" //or more likely, config.get[String]("application.hmacSecret")

  def myApiActionWithBody = APIHMACAuthAction.async(circe.json(2048)) { request=>
  .
  .
  .
  }
  
  def myRegularAction = HMACAuthAction {
  }
  
  def myRegularAsyncAction = HMACAuthAction.async {
  }

How to setup a machine client

There are example clients for Scala, Javascript and Python in the examples/ directory.

Each client needs a copy of the shared secret, defined as "mysecret" in the controller example above. Each request needs a standard (RFC-7231) HTTP Date header, and an authorization digest that is calculated like this:

  1. Make a "string to sign" consisting of the HTTP Date and the Path part of the URI you're trying to access, seperated by a literal newline (unix-style, not CRLF)
  2. Calculate the HMAC digest of the "string to sign" using the shared secret as a key and the HMAC-SHA-256 algorithm
  3. Base64 encode the binary output of the HMAC digest to get a random-looking string
  4. Add the HTTP date to the request headers with the header name 'X-Gu-Tools-HMAC-Date'
  5. Add another header called 'X-Gu-Tools-HMAC-Token' and set its value to the literal string HMAC followed by a space and the digest, like this: X-Gu-Tools-HMAC-Token: HMAC boXSTNumKWRX3eQk/BBeHYk
  6. Send the request and the server should respond with a success.
  7. The default allowable clock skew is 5 minutes, if you have problems then this is the first thing to check.
com.gu

The Guardian

The source code of the world's leading liberal voice

Versions

Version
1.3.1
1.2.2