[GSoC 2015: Hawk Authentication] Wrapping up first half; Plans for second

Submitted by Dragooon on Thu, 07/02/2015 - 18:53

Hello! As the first half of Summer of code comes to an end, I figured I'd share my tentative schedule for second half. In the first half I've managed to develop and improve the Hawk library as well as a module to serve as the base for Drupal. Second half will be focussed more towards Oz and authorization.

Schedule starting from week 7 (6th July):

[GSoC 2015: Hawk Authentication] Making Hawk client requests with PHP

Submitted by Dragooon on Tue, 06/30/2015 - 17:25

The core aim of my Summer of Code project is to allow Drupal to authenticate using the Hawk protocol, a very crucial part of that is for clients to be able to communicate with the server. This post applies to generally any Hawk client-server combination but I'll be specifically referring to my PHP Hawk library as client and my Drupal module as the server.

[GSoC 2015: Hawk Authentication] Week 5: Working on the module

Submitted by Dragooon on Mon, 06/29/2015 - 21:25

Continuing from my last week, this week I've been focussing on finishing the module and make it ready for distribution. The main component of the module is the authentication provider, which will validate any incoming requests for Hawk authentication and authenticate any respective users. Apart from the authentication provider itself, the module will provide UI for users to create their own Hawk credentials. Here's a summary of all I've done this week:

[GSoC 2015: Hawk Authentication] Solving the Page Cache issue

Submitted by Dragooon on Fri, 06/26/2015 - 18:58

As I detailed in my blog post descriving the page cache issue, Drupal caches every request on the basis of the URL and content-type. I worked around it by changing the URL on every request but this is a temporary issue and a potential security risk since one can get the cached response of an authenticated user by simply guessing the URL (or even not that if someone isn't using a timestamp/some other key) so I figured that has to be a better solution.

[GSoC 2015: Hawk Authentication] REST and Drupal 8's Page caching

Submitted by Dragooon on Thu, 06/25/2015 - 19:27

As I was making progress with my module to implement Hawk protocol as an authentication option, I had to implement the Authentication Provider which would be the main component of the module. The provider would validate and authenticate any incoming Hawk request. In order to test the provider, I enabled Drupal 8's REST module. The REST module can be configured to accept any and all available authentication providers, so I set /node/<node id> route to accept hawk authentication for GET and POST request and I only granted authenticated users permission to GET and POST on nodes.

[GSoC 2015: Hawk Authentication] Week 4: Authentication Provider

Submitted by Dragooon on Tue, 06/23/2015 - 13:23

This week I was mostly away on a trip to Italy, which is a beautiful country by the way and I would absolutely recommend anyone to visit it. I returned a couple days ago and hence I do not have a lot of progress since my last week.

Authentication Provider

[GSoC 2015: Hawk Authentication] Week 3: Starting the module

Submitted by Dragooon on Fri, 06/12/2015 - 17:24

Last week I had worked on my library implementing the Hawk protocol in PHP, the library itself is one independent of Drupal and can be used with any platform. Its main job is to create request on the behalf of clients and authenticate the requests on behalf of the servers. Hence, it'll be one of the most crucial parts of the module.

[GSoC 2015: Hawk Authentication] Week 1: Getting Started

Submitted by Dragooon on Fri, 06/05/2015 - 06:21


My project for Drupal during Google Summer of Code is to create a module which provides authentication support using Hawk for Drupal 8. Hawk is a protocol similar to OAuth, either of which can be used as an altenrative to the basic cookie-based authentication already available in Drupal.  One of the most major advantages of Hawk over OAuth is the ability to straight away make a request without requiring a handshake, reducing the amount of complexity required for making an API request.