[Feature Request] Please provide a way to use HMAC in the templates

[sebwas]

Details

Hello everyone,

to sign URLs it's necessary to use HMAC, but afaics there is no possibility currently of doing so in Insomnia. With a growing demand in this type of security, I think many could benefit from that feature.

I'd love to hear your thoughts about that.

Thanks!

[gschier]

Can you elaborate on how exactly you want to use HMAC? Are you referring to a specific method for authorization over HTTP?

Any more info you could provide would be appreciated 😄

[sebwas]

Oh, yeah, of course I can!

So, take the Amazon Marketplace Web Services API for example.

Between other query string parameters they want a Signature of the request that is calculated as follows:

base64_encode( hmac('sha256', '[secret key]', canonicalizedRequest) )

with the canonicalized request looking like this:

[HTTP VERB]
[HOST]
[PATH]
[CANONICALIZED QUERY STRING]

and the canonicalized query string being the list of query string parameters, encoded as per RFC3986, ordered lexically by parameter name, then transformed to a normal query string.

In pseudo code that could look a bit like that:

parameterList := { 'baz': 'qux%', 'a': 'b', 'foo': 'bar' }
orderedParameterList := orderByKey(parameterList) // { 'a': 'b', 'baz': 'qux%', 'foo': 'bar' }
encodedParameterList := encode(orderedParameterList) // { 'a': 'b', 'baz': 'qux%25', 'foo': 'bar' }
canonicalizedQueryString := encodedParameterList.toQueryString
// 'a=b&baz=qux%25&foor=bar'

httpVerb := 'POST'
host := 'mws.amazonservices.com'
path := '/Feeds/2009-01-01'

canonicalizedRequest := concat(httpVerb, '\n', host, '\n', path, '\n', canonicalizedQueryString)

signature := base64_encode(
  hmac('sha256', 'superSecretKeyThatNobodyMustKnowButAmazonItself', canonicalizedRequest)
)

parameterList.set('signature', signature)

reqponse := request.new(httpVerb, host, concat(path, '?', parameterList.toQueryString))

(More info on the amazon way. Don't bother. Really.)

Right now (I think) this is not possible to build with insomnia. With environment variables I've been able to emulate almost all of the "real" request (including calculating the hash of the request body and including that in the parameters), but with signing the request I fail.

For a better understanding, see this screenshot I made that shows the whole process of generating the signature:

(I'm using https://cryptii.com/hmac there, btw 😀)

Please let me know if I made things in terms of understanding worse.

[gschier]

That sounds an awful lot like the AWS v4 auth that Insomnia already supports (not saying this negates the need for this feature but it might help you out if you haven't discovered it yet).

The best way to do this now would probably be via a custom auth plugin. Someone just made one that does HMAC auth stuff https://github.com/jbharter/insomnia-plugin-kraken/blob/master/index.js

[sebwas]

Thank you, I did not know about that.
However, unfortunately that is not quite a solution for the problem.

not saying this negates the need for this feature

I think that just exposing the method that creates the hmacs would be sufficient.

The best way to do this now would probably be via a custom auth plugin

I hear you, but I think since it's just about exposing the method, this could easily be in the core. Despite the fact that this practice is gaining popularity (laravel/framework#23519 for example)

[gschier]

Ya, exposing hmac as a template tag would be easy and should be included in core 👍

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.