Skip to main content

HTTPie: one auth to rule them all!

Project description

HTTPie Credential Store is an HTTPie authentication plugin that looks for credentials using a given URL and attaches them to the ongoing HTTP request. That said, you don’t need to memorize and/or look for tokens/username/passwords anymore. Simply add them to the credential store and everything else will be done for you by this plugin. It goes without saying that this plugin supports various secured secret storages such as system keychains or password managers (see keychain providers).

Eager to get started? Just start with installing!

$ python3 -m pip install httpie-credential-store

Usage

Once installed, the plugin will look for credentials in the credential file. The credential file is stored in HTTPie configuration directory. So on Linux/macOS, it will look for ~/.httpie/credentials.json, while on Windows - for %APPDATA%\httpie\credentials.json. The credential file will not be created for you, you’re fully responsible for creating one.

By its nature, the credentials file is a JSON array of credential records. Each credential record consists of the following properties:

  • url (required) is a regular expression pattern that is used to map credential record to the ongoing HTTP request. I.e. if the regular expression matches URL of the ongoing HTTP request, credentials of matched record must be attached.

  • auth (required) is an authentication provider to use for a given record. The provider will be used to attach credentials to the ongoing HTTP request if the record is matched.

  • id (optional) is unique identifier of the credential record that can be used to solve ambiguousness between two or more matched credential records. By using id one may achieve support of multiple accounts for the same service.

Example:

[
  {
    "url": "api.github.com",
    "auth": {
      "provider": "token",
      "token": "your-github-oauth-token",
      "scheme": "token"
    }
  },
  {
    "id": "bots",
    "url": "api.github.com",
    "auth": {
      "provider": "token",
      "token": "bots-github-oauth-token",
      "scheme": "token"
    }
  }
]

The example above assumes you store your secrets unencrypted in the credential file. Despite enforcing you to set sole access permissions for the credential file, it’s not secured and, hence, not recommended. HTTPie Credential Store plugin can pull secrets and other sensitive information out from password managers or system keychains. For instance, you can pull your token from the password store by using the following credential record:

[
  {
    "url": "api.github.com",
    "auth": {
      "provider": "token",
      "scheme": "token",
      "token": {
        "keychain": "password-store",
        "name": "github.com/ikalnytskyi/token"
      }
    }
  }
]

Once the credential store is filled, you’re ready to use the plugin at your will. In order to activate the plugin, you must pass -A creds or -A credential-store to http executable.

$ http -A creds https://api.github.com

Optionally, you can provide an ID of the credential record to use by passing -a argument.

$ http -A creds -a bots https://api.github.com

Authentication providers

HTTPie Credential Store comes with the following authentication providers out of box.

basic

The ‘Basic’ HTTP authentication scheme as defined in RFC 7617. Transmits credentials as username/password pairs, encoded using Base64.

{
  "provider": "basic",
  "username": "ikalnytskyi",
  "password": "p@ss"
}

where

  • username is a username to authenticate

  • password is a password of the authenticating user

digest

The ‘Digest’ HTTP authentication scheme as defined in RFC 2617. It applies a hash function to the username and password before sending them over the network.

{
  "provider": "digest",
  "username": "ikalnytskyi",
  "password": "p@ss"
}

where

  • username is a username to authenticate

  • password is a password of the authenticating user

token

The ‘Token’ HTTP authentication scheme (also called ‘Bearer’) transmits token in the Authorization HTTP header.

{
  "provider": "token",
  "token": "t0k3n",
  "scheme": "JWT"
}

where

  • token is a token of the authenticating user

  • scheme (optional, default: “Bearer”) is an authenticating scheme

multiple

This is a fake authentication scheme even in terms of this plugin. It does no auth but chains and applies one or more providers simultaneously. It’s something you will (likely) never use.

{
  "provider": "multiple",
  "providers": [
    {
      "provider": "token",
      "token": "t0k3n"
    },
    {
      "provider": "header",
      "name": "X-Extra-Key",
      "value": "k3y"
    }
  ]
}

where

  • providers is a list of auth providers to use simultaneously

Keychain providers

The plugin supports a bunch of keychains that can be used to pull secrets from secured storage.

shell

Shell provider is nothing more but a mere shell command to execute. The command must return a secret to the plugin via standard output stream. This is a universal approach that can be used to glue together various unsupported password managers and/or keychains.

Example:

{
  "keychain": "shell",
  "command": "cat ~/path/to/secret | tr -d '\n'"
}

where

  • command is a shell command to execute

system

System provider, as the name suggests, use your system keychain to pull secrets from. It may be KWallet, GNOME Keyring, macOS Keychain or even Windows Credential Locker.

Example:

{
  "keychain": "system",
  "service": "github",
  "username": "ikalnytskyi"
}

where

  • service is a service to pull data for

  • username is a username for that service to pull data for

password-store

Password store provider is a bridge between this plugin and the password store. It invokes pass on your system and pulls the secret from the first line of the stored record (normally password).

Example:

{
  "keychain": "password-store",
  "name": "github.com/ikalnytskyi"
}

where

  • name is a pass name in terms of the password store

FAQ

  • Q: How to learn which credentials have been attached to the request?

    A: Unfortunately, due to late credentials binding, it’s impossible to learn which credentials have been used by running http --debug command. Nevertheless, one can check amends made by auth providers by inspect HTTP headers transmitted within the request by passing -v argument to HTTPie: http -v.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

httpie-credential-store-1.0.0.tar.gz (8.3 kB view details)

Uploaded Source

Built Distribution

httpie_credential_store-1.0.0-py3-none-any.whl (8.4 kB view details)

Uploaded Python 3

File details

Details for the file httpie-credential-store-1.0.0.tar.gz.

File metadata

  • Download URL: httpie-credential-store-1.0.0.tar.gz
  • Upload date:
  • Size: 8.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: poetry/0.12.17 CPython/3.8.0 Linux/5.0.0-1023-azure

File hashes

Hashes for httpie-credential-store-1.0.0.tar.gz
Algorithm Hash digest
SHA256 df399dfbf23d194eaddc20aa69b155bcceeac4931c9122881fd5b24eb08c255a
MD5 2debed06504c8ffab78bd43dbd3e84b9
BLAKE2b-256 bae2194b3c7a43ba416d42c0e2026d10a49dc80feef2691c6c49c8c193503625

See more details on using hashes here.

File details

Details for the file httpie_credential_store-1.0.0-py3-none-any.whl.

File metadata

File hashes

Hashes for httpie_credential_store-1.0.0-py3-none-any.whl
Algorithm Hash digest
SHA256 9e766e0fd83152b90c76f7399b90e352ee2ed90f3f72c5f3737c4edbb1c445dd
MD5 cee988c39dd5bed7d29900eadcccc154
BLAKE2b-256 777b11c853ecbdf0390dadda56141705ebc1e256a6c5fbb8ba4a48788464d959

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page