Continuing from my last week, this week I've been focussing on finishing the module and make it ready for distribution. The main component of the module is the authentication provider, which will validate any incoming requests for Hawk authentication and authenticate any respective users. Apart from the authentication provider itself, the module will provide UI for users to create their own Hawk credentials. Here's a summary of all I've done this week:
As I detailed in my blog post descriving the page cache issue, Drupal caches every request on the basis of the URL and content-type. I worked around it by changing the URL on every request but this is a temporary issue and a potential security risk since one can get the cached response of an authenticated user by simply guessing the URL (or even not that if someone isn't using a timestamp/some other key) so I figured that has to be a better solution.
As I was making progress with my module to implement Hawk protocol as an authentication option, I had to implement the Authentication Provider which would be the main component of the module. The provider would validate and authenticate any incoming Hawk request. In order to test the provider, I enabled Drupal 8's REST module. The REST module can be configured to accept any and all available authentication providers, so I set /node/<node id> route to accept hawk authentication for GET and POST request and I only granted authenticated users permission to GET and POST on nodes.