image:https://img.shields.io/github/v/tag/innertech/hawkish-bewit[GitHub tag (latest by date),link="https://github.com/innertech/hawkish-bewit/releases"] image:https://img.shields.io/badge/kotlin-2.2.21-blue.svg?logo=kotlin[Kotlin,link="http://kotlinlang.org"] image:https://img.shields.io/maven-central/v/tech.inner/hawkish-bewit[Maven Central,link="https://search.maven.org/search?q=g:tech.inner+a:hawkish-bewit"] image:https://img.shields.io/github/license/innertech/hawkish-bewit["GitHub license",link="https://github.com/innertech/hawkish-bewit/blob/master/LICENSE"]

A loose implementation of https://github.com/mozilla/hawk/blob/main/API.md#single-uri-authorization[Hawk Bewit] in Kotlin multi-platform, supporting JVM, Android, iOS, and JavaScript.

While https://github.com/mozilla/hawk[Hawk] never gained wide traction as an HTTP authentication scheme, we still find common need for an S3-style URI authorization scheme, in which a URI can be:

[loweralpha] . signed to validate that it has not been tampered with, and . set to expire.

Hawk bewits serve this purpose well, without re-inventing the wheel.

However, this is a single-purpose library inspired by Hawk, not a full hawk-compatible implementation. Bewits generated by this library are not compatible with bewits generated by other Hawk-compatible libraries:

• we do not implement the header-mode and the dlg, app and ext attributes
• we do validate the URL scheme to protect against protocol downgrade attacks
• the hawk version is set to 1a, not 1 to indicate incompatibility with Hawk

. Sign resource links, like images, for temporary access from locations that do not support the underlying site auth protocol e.g. clipboards and external applications.

. Sign links sent to users out of band e.g. emails.

. Sign links sent to 3rd parties to easily access some resource for a limited time.

. etc.

Java code should be able to use this implementation as well, but that has not been well tested. PRs to improve Java compatibility will be accepted.