HawkREST¶
Hawk HTTP Authorization for Django Rest Framework.
Hawk lets two parties securely communicate with each other using messages signed by a shared key. It is based on HTTP MAC access authentication (which was based on parts of OAuth 1.0).
HawkREST uses the mohawk module to add Hawk authorization to your REST API views.
This guide will help you set everything up but you should also read through mohawk security considerations to get familiar with the security aspects of Hawk.
Installation¶
Requirements:
- Python 2.7+ or 3.4+
- Django 1.8 through 1.11
- Django Rest Framework 3.4 or 3.5
- mohawk
(Older versions of these libraries may work, but support is not guaranteed.)
Using pip, install the module like this:
pip install hawkrest
This will also install all necessary dependencies. You’ll most likely put this in a requirements file within your Django app.
The source code is available at https://github.com/kumar303/hawkrest
Topics¶
Bugs¶
You can report issues at https://github.com/kumar303/hawkrest
Changelog¶
Important
If you’re upgrading from a version prior to 0.0.6, be sure to
use rest_framework.permissions.IsAuthenticated
on your views
as documented
1.0.1 (2018-10-06) - Added support for being used via Django 1.11’s new MIDDLEWARE option. - Fixed the
hawkrequest
management command when using newer Django/Python. - Fixed inconsistency between the way the middleware and authenticationbackend determined whether a request was a Hawk signed request.
1.0.0 (2017-04-05)
- Added support for a
HAWK_USER_LOOKUP
setting. See Usage. - Added hooks to make subclassing
HawkAuthentication
easier. See Usage. - Dropped support for Django 1.6/1.7.
- Dropped support for django-rest-framework 3.2/3.3.
- Confirmed support for django-rest-framework 3.4/3.5.
- Added support for Django 1.10/1.11.
- Started using semantic versioning.
- Added support for a
0.0.10 (2016-06-01)
- Adds support for Django 1.9.
0.0.9 (2016-01-07)
- Adds more specific
AuthenticationFailed
errors.
- Adds more specific
0.0.8 (2015-10-01)
- Fixes issue #11 where exception info was leaked to the response, potentially revealing sensitive information.
0.0.7 (2015-09-30)
- Fixes issue #9
where using
rest_framework.permissions.IsAuthenticated
on your Hawk protected view caused an unexpected traceback.
- Fixes issue #9
where using
0.0.6 (2015-09-08)
- IMPORTANT: If migrating to this version from an earlier version of
hawkrest
, your Django Rest Framework API views must require an authenticated user as documented. In other words, older versions ofhawkrest
would reject any request that didn’t have a Hawk authentication header but this version does not (see the bug fix below). - Fixed bug where other HTTP authorization schemes could not be supported at the same time as Hawk. Thanks to Mauro Doglio for the patch.
- Fixed incorrect statement in docs that Python 2.6 was supported. Only 2.7 or greater is supported at this time.
- Sends
WWW-Authenticate: Hawk
header in 401 responses now.
- IMPORTANT: If migrating to this version from an earlier version of
0.0.5 (2015-07-21)
- Added HAWK_CREDENTIALS_LOOKUP setting which is a callable. Thanks to Felipe Otamendi for the patch.
0.0.4 (2015-06-24)
- Fixed nonce callback support for mohawk 0.3.0. Thanks to Josh Wilson for the patches.
0.0.3 (2015-01-05)
- Fixed traceback when cache setting is undefined. Thanks to wolfgangmeyers for the patch.
0.0.2 (2014-03-03)
- Added support for Python 3.3 and greater
- Added support for Python 2.6
0.0.1 (2014-02-27)
- Initial release, extracted from https://github.com/mozilla/apk-signer