Skip to content

Instantly share code, notes, and snippets.

@ameliaikeda

ameliaikeda/Hanyuu Requesting.md

Last active August 29, 2015 13:56
Show Gist options
  • Save ameliaikeda/9254170 to your computer and use it in GitHub Desktop.
Save ameliaikeda/9254170 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Hanyuu Requesting.md

Request Spec

Hanyuu should:

  • Verify that incoming signatures from the headers X-Radio-Client and X-Radio-Auth match. (see below)
  • Use X-Forwarded-For on signature mismatch (or check remote addr). (this means that signatures are not needed for the current site)
  • return "hmac error" after we migrate websites on hmac failure

Signatures

These are HMAC-SHA256. The key must be shared between the site and hanyuu as it is used to verify that incoming Ip addresses are genuine.

The key should default to DEADBEEFCAFE for testing if the config value is not present.

<?php

$key = Config::get("radio.hanyuu.key", "DEADBEEFCAFE");
$ip = Request::server("REMOTE_ADDR");
$hmac = hash_hmac("sha256", $key, $ip);
import hashlib
import hmac
import config

key = config.request_key or "DEADBEEFCAFE"
signature = hmac.new(key, client.header["X-Radio-Client"], hashlib.sha256).digest()
valid = signature == client.header["X-Radio-Auth"]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment