nz / oauth
Last active October 3, 2023 07:46
Light weight HMAC token auth over HTTP Basic Auth

HMAC over Basic Auth

This is a pattern I use fairly frequently for administrative APIs. It's a sort of OAuth lite for non-public APIs that produces good quality tokens. Once you build it a few times, it's not any harder than using arbitrary basic auth in your APIs.

The client and the app share a secret, which is never transmitted across the wire. The client uses this secret to create an HMAC digest of a payload consisting of the current time and a random nonce value. The nonce is provided as the Basic Authorization user, and the resulting HMAC digest is provided as the Basic Authorization password.

A similar process is followed on the server side. The server uses the supplied nonce, its own time, and its own copy of the shared secret. It may want to check against several tokens across a small window of times to account for clock drift.

  • Using HMAC means the secret is never transmitted across the wire. Theoretically these are safe across plaintext connections, but you're using TLS anyway, right?
  The i
gshutler /
Created June 9, 2015 14:24
Update Rubygems for all rbenv rubies
#! /usr/bin/env bash
set -e
eval "$(rbenv init -)"
for version in `rbenv whence gem`; do
rbenv shell "$version"
echo "Updating rubygems for $version"
gem update --system --no-document --quiet
henrik /
Last active May 23, 2022 12:31
Sandi Metz' four rules from Ruby Rogues episode 87. Listen or read the transcript:
  1. Your class can be no longer than 100 lines of code.
  2. Your methods can be no longer than five lines of code.
  3. You can pass no more than four parameters and you can’t just make it one big hash.
  4. When a call comes into your Rails controller, you can only instantiate one object to do whatever it is that needs to be done. And your view can only know about one instance variable.

You can break these rules if you can talk your pair into agreeing with you.

pcreux /
Created February 18, 2013 10:20
Github Commit Status API with Bamboo from Atlassian. Add those to your plan as Script.
# specs and cukes results are stored in JUnit format under test-reports
if (grep 'failures="[^0]"' test-reports/* || grep 'errors="[^0]"' test-reports/*); then
curl -H "Authorization: token MY_TOKEN" --request POST --data '{"state": "failure", "description": "Failed!", "target_url": "${bamboo.buildResultsUrl}"}'${bamboo.repository.revision.number} > /dev/null
curl -H "Authorization: token MY_TOKEN" --request POST --data '{"state": "success", "description": "Success!", "target_url": "${bamboo.buildResultsUrl}"}'${bamboo.repository.revision.number} > /dev/null
fantactuka / gist:1887133
Created February 22, 2012 20:43
Compile sass file into string with compass includes
require "sass"
require "compass"
def compile_sass(sass_file)
sass_dir = File.dirname(sass_file)
compass_dir = File.join(Compass.base_directory, "frameworks/compass/stylesheets")
Sass.compile(, syntax: :sass, load_paths: [sass_dir, compass_dir])
oparrish / assets_deploy.rb
Created September 20, 2011 15:44
Rake task for copying Rails compiled assets to S3
require 'aws/s3'
require 'digest/md5'
require 'mime/types'
## These are some constants to keep track of my S3 credentials and
## bucket name. Nothing fancy here.