summer of code

[GSoC 2015: Hawk Authentication] Week 9: Dropping Oz and moving on with Hawk

Submitted by Dragooon on Mon, 07/20/2015 - 20:06

Continuing from my last week’s update, this week was originally meant to be the one where I get started with implementing Oz protocol in PHP and then into my module. However, I ran into a severe limitation with the protocol itself that has forced me to reconsider my plan and drop Oz, instead shifting my focus back to my original Hawk module I had been working on during the past few weeks.

Limitation with Oz

[GSoC 2015: Hawk Authentication] Getting maintainer access on

Submitted by Dragooon on Mon, 07/20/2015 - 19:27

Introduction to my module

My project for Drupal during Google Summer of Code 2015 is to create a Drupal 8 module for a protocol called Hawk. Hawk allows the users to identify themselves and provide an alternative to the standard cookie-based authentication that takes place by browsers. It is mainly meant to be used alongside the REST module, however there are no hard restrictions. Another developer or user can use it as they please. The module itself identifies the user amongst other things such as handling special Hawk end points and header values.

[GSoC 2015: Hawk Authentication] Week 8: Security considerations and Oz

Submitted by Dragooon on Tue, 07/14/2015 - 16:19

Continuing from my last week's progress, this week was more theoritical than practical. For this week I focussed on:

  • Nonce Validator, more specifically ensuring it works.
  • Learning about Oz and how it can applied.

Nonce Validator

[GSoC 2015: Hawk Authentication] Week 7: Documentation and Replay attacks

Submitted by Dragooon on Tue, 07/07/2015 - 18:22

Overall progress so far

At the moment I would consider 60% of my project to be done in GSoC, including the base hawk library and module. The module allows authentication using Hawk protocol and has been tested with Drupal's REST module which is expected to be one of the biggest use case. It's UI is also complete. Currently it's on's Project Applications list as a candidate for being an official project on, link to issue is here

[GSoC 2015: Hawk Authentication] Wrapping up first half; Plans for second

Submitted by Dragooon on Thu, 07/02/2015 - 18:53

Hello! As the first half of Summer of code comes to an end, I figured I'd share my tentative schedule for second half. In the first half I've managed to develop and improve the Hawk library as well as a module to serve as the base for Drupal. Second half will be focussed more towards Oz and authorization.

Schedule starting from week 7 (6th July):

[GSoC 2015: Hawk Authentication] Making Hawk client requests with PHP

Submitted by Dragooon on Tue, 06/30/2015 - 17:25

The core aim of my Summer of Code project is to allow Drupal to authenticate using the Hawk protocol, a very crucial part of that is for clients to be able to communicate with the server. This post applies to generally any Hawk client-server combination but I'll be specifically referring to my PHP Hawk library as client and my Drupal module as the server.

[GSoC 2015: Hawk Authentication] Week 5: Working on the module

Submitted by Dragooon on Mon, 06/29/2015 - 21:25

Continuing from my last week, this week I've been focussing on finishing the module and make it ready for distribution. The main component of the module is the authentication provider, which will validate any incoming requests for Hawk authentication and authenticate any respective users. Apart from the authentication provider itself, the module will provide UI for users to create their own Hawk credentials. Here's a summary of all I've done this week:

[GSoC 2015: Hawk Authentication] Solving the Page Cache issue

Submitted by Dragooon on Fri, 06/26/2015 - 18:58

As I detailed in my blog post descriving the page cache issue, Drupal caches every request on the basis of the URL and content-type. I worked around it by changing the URL on every request but this is a temporary issue and a potential security risk since one can get the cached response of an authenticated user by simply guessing the URL (or even not that if someone isn't using a timestamp/some other key) so I figured that has to be a better solution.

[GSoC 2015: Hawk Authentication] REST and Drupal 8's Page caching

Submitted by Dragooon on Thu, 06/25/2015 - 19:27

As I was making progress with my module to implement Hawk protocol as an authentication option, I had to implement the Authentication Provider which would be the main component of the module. The provider would validate and authenticate any incoming Hawk request. In order to test the provider, I enabled Drupal 8's REST module. The REST module can be configured to accept any and all available authentication providers, so I set /node/<node id> route to accept hawk authentication for GET and POST request and I only granted authenticated users permission to GET and POST on nodes.

[GSoC 2015: Hawk Authentication] Week 4: Authentication Provider

Submitted by Dragooon on Tue, 06/23/2015 - 13:23

This week I was mostly away on a trip to Italy, which is a beautiful country by the way and I would absolutely recommend anyone to visit it. I returned a couple days ago and hence I do not have a lot of progress since my last week.

Authentication Provider