sig_auth v0.1.0 SigAuth.Plug
This Plug is the intended entry point for Server-side SigAuth use.
In order to function, a CredentialServer module must be specified to provide the mapping from usenames to public keys. See SigAuth.ExampleCredentialServer for more details.
This plug should be specified early in the request Plug-chain, and protects all subsequent routes, e.g.:
defmodule MyApp.ApiRouter
use Plug.Router
plug :match
plug :dispatch
# Not Authenticated:
forward "/public", to: MyApp.PublicApiRouter
plug SigAuth.Plug, credential_server: MyApp.CredServer
# Authenticated:
forward "/private", to: MyApp.PrivateApiRouter
# ...
IMPORTANT NOTES:
This plug must read the body of the request to verify the signature. This may well break your plug pipeline (Parsers, especially). Currently, the body is stored in
conn.assigns[:body]
after it is read. If you have an idea for a more elegant solution, feel free to provide a pull-request.The username in the “authorization” header is stored for convenience in
conn.assigns[:username]
; this field can be used for user / role based authentication of individual endpoints;SigAuth
has proven that the requestor possesses the private key associated with that username.