Mohawk is an alternate Python implementation of the Hawk HTTP authorization scheme.
Hawk lets two parties securely communicate with each other using messages signed by a shared key. It is based on HTTP MAC access authentication (which was based on parts of OAuth 1.0).
The Mohawk API is a little different from that of the Node library (i.e. the living Hawk spec). It was redesigned to be more intuitive to developers, less prone to security problems, and more Pythonic.
Requirements:
- Python 2.6+ or 3.3+
- six
Using pip:
pip install mohawk
If you want to install from source, visit https://github.com/kumar303/mohawk
You can submit bugs / patches on Github: https://github.com/kumar303/mohawk
Important
If you think you found a security vulnerability please try emailing kumar.mcmillan@gmail.com before submitting a public issue.
.. toctree:: :maxdepth: 2 usage security api developers why
Mohawk is a low level library that focuses on Hawk communication. The following higher-level libraries integrate Mohawk into specific web frameworks:
- Hawkrest: adds Hawk to Django Rest Framework
- Did we miss one? Send a pull request so we can link to it.
- Implement bewit. The bewit URI scheme is not fully implemented at this time.
- Support NTP-like (but secure) synchronization for local server time. See TLSdate.
- Support auto-retrying a :class:`mohawk.Sender` request with an offset if there is timestamp skew.
- 0.3.1 (2016-01-07)
- Initial bewit support (undocumented). Complete support with documentation is still forthcoming.
- 0.3.0 (2015-06-22)
- Breaking change: The
seen_nonce()callback signature has changed. You must update your callback fromseen_nonce(nonce, timestamp)toseen_nonce(sender_id, nonce, timestamp)to avoid unnecessary collisions. See :ref:`nonce` for details.
- Breaking change: The
- 0.2.2 (2015-01-05)
- Receiver can now respond with a
WWW-Authenticateheader so that senders can adjust their timestamps. Thanks to jcwilson for the patch.
- Receiver can now respond with a
- 0.2.1 (2014-03-03)
- Fixed Python 2 bug in how unicode was converted to bytes when calculating a payload hash.
- 0.2.0 (2014-03-03)
- Added support for Python 3.3 or greater.
- Added support for Python 2.6 (this was just a test suite fix).
- Added six as dependency.
- :attr:`mohawk.Sender.request_header` and :attr:`mohawk.Receiver.response_header` are now Unicode objects. They will never contain non-ascii characters though.
- 0.1.0 (2014-02-19)
- Implemented optional content hashing per spec but in a less error prone way
- Added complete documentation
- 0.0.4 (2014-02-11)
- Bug fix: response processing now re-uses sender's nonce and timestamp per the Node Hawk lib
- No longer assume content-type: text/plain if content type is not specificed
- 0.0.3 (2014-02-07)
- Bug fix: Macs were made using URL safe base64 encoding which differs from the Node Hawk lib (it just uses regular base64)
- exposed
localtime_in_secondsonTokenExpiredexception per Hawk spec - better localtime offset and skew handling
- 0.0.2 (2014-02-06)
- Responding with a custom ext now works
- Protected app and dlg according to spec when accepting responses
- 0.0.1 (2014-02-05)
- initial release of partial implementation