I am working on authentication for my own JSON-RPC API, and my current working strategy is using signed requests sent over the POSTtop SSL.
I am wondering if anyone can see any vulnerabilities that I did not take into account when using the following signature method.
All communication between the client and server is done through POSTrequests sent through SSL. Insecure requests httpautomatically refuse the API server.
Dependencies
var uuid = require('node-uuid');
var crypto = require('crypto');
var moment = require('moment');
var MyAPI = require('request-json').newClient('https://api.myappdomain.com');
Dependency Links: node-uuid , crypto , moment , request-json
Wars
var apiVersion = '1.0';
var publicKey = 'MY_PUBLIC_KEY_UUID';
var secretKey = 'MY_SECRET_KEY_UUID';
Request Object
var request = {
requestID : uuid.v4(),
apiVersion : apiVersion,
nonce : uuid.v4(),
timestamp : moment.utc( new Date() ),
params : params
}
Signature
var signature = crypto.createHmac('sha512',secretKey).update(JSON.stringify(request)).digest('hex');
( POST SSL)
var payload = {
request: request,
publicKey : publicKey,
signature : signature
}
JSON Document
{
"request" : {
"requestID" : "687de6b4-bb02-4d2c-8d3a-adeacd2d183e",
"apiVersion" : "1.0",
"nonce" : "eb7e4171-9e23-408a-aa2b-cd437a78af22",
"timestamp" : "2014-05-23T01:36:52.225Z",
"params" : {
"class" : "User"
"method" : "getProfile",
"data" : {
"id" : "SOME_USER_ID"
}
}
},
"publicKey" : "PUBLIC_KEY",
"signature" : "7e0a06b560220c24f8eefda1fda792e428abb0057998d5925cf77563a20ec7b645dacdf96da3fc57e1918950719a7da70a042b44eb27eabc889adef95ea994d1",
}
POST
MyAPI.post('/', payload, function(response){
});
:
PUBLIC_KEY SECRET_KEY .SECRET_KEY HMAC request .signature, , request, . , timestamp.- ,
timestamp, cleartext request, signature, , timestamp , . .
, , SSL. ?
.
JSON
JSON.stringify , .
, - JSON request. , request , . request JSON payload. JSON, , JSON.stringify, , . , , , , .