# -*- org -*- #+STARTUP: content hidestars logdone logdrawer #+CATEGORY: hsoz * Project Status The status of this implementation is /somewhat complete/. Iron is complete, Hawk is complete, but lacks a good client API. Oz is /partially complete/. ** Iron *** DONE done: Use the "Data.SecureMem" package for hash equality comparisons. CLOSED: [2016-10-30 Sun 13:11] *** DONE done: password lookup by ID. CLOSED: [2016-10-30 Sun 13:11] ** Hawk *** DONE done: WAI Middlewares CLOSED: [2016-10-28 Fri 17:21] *** DONE done: bewit generation CLOSED: [2016-10-30 Sun 12:00] *** DONE done: bewit authentication CLOSED: [2016-10-30 Sun 12:00] *** DONE http-conduit wrapper CLOSED: [2016-12-04 Sun 22:24] *** TODO yesod authentication plugin *** DONE rename default functions to def and re-export def CLOSED: [2016-11-30 Wed 22:47] *** DONE client ext --> bytestring CLOSED: [2016-12-02 Fri 09:15] *** TODO client ext --> (FromJSON a, ToJSON a) *** DONE server dlg --> text CLOSED: [2016-12-02 Fri 09:15] *** DONE WWW-Authenticate header response CLOSED: [2016-12-01 Thu 13:38] expect(Hawk.utils.unauthorized('kaboom').output.headers['WWW-Authenticate']).to.equal('Hawk error="kaboom"'); expect(Hawk.utils.unauthorized('kaboom', { a: 'b' }).output.headers['WWW-Authenticate']).to.equal('Hawk a="b", error="kaboom"'); *** TODO allow pre-calculated payload hashes payloadHash :: Algorithm or Creds -> ContentType -> ByteString -> PayloadHash *** DONE nonce validation helper CLOSED: [2016-12-04 Sun 22:28] *** DONE client.message.authenticate() CLOSED: [2017-01-02 Mon 04:39] *** DONE server.authenticateMessage() CLOSED: [2017-01-02 Mon 04:39] *** TODO helper function for client-side nonce validation Server responses have the client-generated nonce included, so are usually save from response replays. But if the client response handler is an api endpoint available to attacker, then the client needs to validate nonces. ** Oz *** TODO A decent client API and ticket endpoints for Oz ** General *** docs upload command #+BEGIN_SRC shell #!/usr/bin/env nix-shell #! nix-shell -i bash -p rsync cd `dirname $0` rsync -avz dist/doc/html/hsoz rodney.id.au:/srv/www/rodney.id.au/docs #+END_SRC *** TODO Production testing in a real-world application *** TODO remove utf8 partial functions *** TODO use more utils from errors package *** TODO split up packages - avoids bring in wai and/or scotty for iron and/or hawk *** TODO URIs should be ByteString not Text *** DONE ghcjs support CLOSED: [2016-11-30 Wed 21:44] Add to executableDepends in default.nix: ++ (pkgs.lib.optional (compiler != "ghcjs") [ wreq ]); Then: nix-shell --arg compiler '"ghcjs"' *** TODO try to upgrade license to LGPL Need to contact Hammer about derivatives of his work. ** Testing *** Iron **** DONE done: Iron unit tests, same as js impl CLOSED: [2016-11-30 Wed 10:53] **** TODO More unit tests around invalid passwords/keys/salts **** TODO testing key generation - e.g. is the RNG ok. *** Hawk **** DONE done: Sunny day unit tests CLOSED: [2016-11-30 Wed 10:58] **** DONE Implement full suite coming from js impl CLOSED: [2017-01-02 Mon 04:39] **** TODO interop tests ***** TODO nix builds of hawk implementations e.g. javascript, python, go ***** TODO test harness ***** TODO design a few test cases ** Hackage stuff *** DONE specify 'license-file' in cabal CLOSED: [2016-11-30 Wed 22:35] *** DONE cut down 'description' in cabal CLOSED: [2016-11-30 Wed 22:35] Hackage doesn't support formatting in the description text. *** DONE set package "stability" attribute CLOSED: [2016-11-30 Wed 22:35] is an obsolete attribute ... but *** DONE move description into README.md CLOSED: [2016-11-30 Wed 22:36] *** DONE add README.md as an extra source in cabal CLOSED: [2016-11-30 Wed 22:36] *** DONE tags CLOSED: [2016-11-30 Wed 22:36] *** TODO some build-depends lower version bounds maybe?