connect-http-signature is a Connect middleware wrapper for Joyent's HTTP Signature reference implementation.

The connect-http-signature module exports two middleware components: verify and gateway. These components separate the logic of verifying a request's signature, and the decision of accepting or rejecting a request based on that verification. This separation provides a simple but flexible solution to enforcing request authentication.

$ npm install connect-http-signature

Note: an example Express application using connect-http-signature can be found in ./example (all the relevant stuff is in ./example/app.js).

As was mentioned above, connect-http-signature exports two modules; one for signature verification, and another for securing endpoints. Both of these modules are intended to be flexible enough to meet the needs of a range of authentication requirements.

The verify middleware component simply verifies whether or not the request has a valid HTTP Signature. The request object is decorated with a signature property, that can be inspected by middleware components later on for authorization decisions. The verify middleware component only has one required option: pub. This property specificies the public key to use for request verification. Alternatively, pub can be specified as an Array, in which case each item is a public key to be tried sequentially. Any additional options will be passed to node-http-signature's parseRequest method.

Basic usage:

var fs = require('fs'),
    httpSignature = require('connect-http-signature');

// example express configuration block
app.configure(function(){
    ...
    app.use(httpSignature.verify({
        pub: fs.readFileSync(__dirname + '/rsa_public.pem', 'ascii')
    }));
    ...
});

The above example is useful when only one public key is required for all requests. This is not always the case, however. For situations in which the public key needs to be identified on a request-by-request basis, a function may be provided to verify which will then be invoked on each request. This function is then responsible for providing options relevant to the current request.

var fs = require('fs'),
    httpSignature = require('connect-http-signature');

// example express configuration block
app.configure(function(){
    ...
    app.use(httpSignature.verify(function(req, res, cb) {
        // this is an example - validate user provided values in your apps!
        var certPath = __dirname + '/certs/' + req.query.tenant + '.pem';

        fs.readFile(certPath, 'ascii', function(err, data) {
           if (err) return cb(err);
           cb(null, { pub: data });
        });
    }));
    ...
});

Once a request's signature has been verified, it's typical to then enforce that some or all endpoints are authorized against a successful signature verification. The gateway middleware component can be used to do just that.

Basic usage:

var httpSignature = require('connect-http-signature'),
    gateway = httpSignature.gateway();

app.get('/secured-endpoint', gateway, function(req, res, next) {
   res.json({ data: 'WAHOO' });
});

This default usage simply responds with a 401 status code, and a relevant reason phrase. If your application requires a particular response format, or you would simply like more control over how this situation is handled, a reject handler may be provided that defines this custom behavior. The reject handler is defined like any other connect middleware. The typical behavior is to simply respond with an error message, but it is also possible to call next if you choose not to reject the request.

var httpSignature = require('connect-http-signature'),
    gateway = httpSignature.gateway({
        reject: function(req, res, next) {
            res.json({ message: 'YOU FAIL!' }, 401);
        }
    });

app.get('/secured-endpoint', gateway, function(req, res, next) {
   res.json({ data: 'WAHOO' });
});

• Beef up the test suite
• Provide a way to distinguish between a failed authentication attempt, and simply no attempt at all

The MIT License (MIT)

Copyright (c) 2013 Jeremy Martin

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.