Overall progress so far
At the moment I would consider 60% of my project to be done in GSoC, including the base hawk library and module. The module allows authentication using Hawk protocol and has been tested with Drupal's REST module which is expected to be one of the biggest use case. It's UI is also complete. Currently it's on drupal.org's Project Applications list as a candidate for being an official project on drupal.org, link to issue is here
The major thing left for the project is Oz integration, which would allow users to access which areas they can access, what permissions they have as well as for clients to limit their user's credentials. For example: a client can remove certain access for a key they have, this allows finer control over each key's permissions. They would be able to limit their phone's key to only read but allow their computer's key to read and write.
This was the week around mid-terms, as the goal of my mid terms was to have the basic Hawk authentication module ready I was focussing on making sure that was done. One of the most crucial parts which were left was documentation, I wrote a few articles right here at my blog about getting started with using Hawk library as well as in the docs folder of php-hawk library. Apart from that, I tackled one issue of replay protection
Replay attacks and protection
For example, an intruder has hacked into the network between client and server, he or she can intercept a valid hawk authentication header from client and use it again and again. For example, a client places an order to the server. The hacker intercepts this and sends it multiple times to the server causing multiple orders.
For the protection against this, Hawk has two measures in place: Timestamp and nonce validation. Timestamp validation allows requests +/- 1 minutes of the current time to be considered valid, any older or newer than 1 minute is invalid. This does requure the client and server clocks to be in sync but that's a trivial task.
Nonce is a random string attached to each request which is unique for that request, the idea is that a nonce should not be repeated for a client and timestamp. So, a request at x time from y client should always have a nonce value not used before. The challenge with this was storing Nonce values in order to check they haven't been used before, I could use two stores for this: Cache or Database. Database allows complex structures while maintaining query efficieny and relations between different values, however for fetching single records a DB can be slower than cache and we don't need complex structures and queries for nonce values (they're a simple key-value store). Hence, cache was the best option for this.
As always, you can see my current progress in my module's sandbox