Server responses are not verified

[kumar303]

It would be nice if the requests-hawk client verified server responses by default (with an option to turn off verification). If you do not verify server responses, certain MITM attacks are possible.

However, in most cases verifying responses is not so important because the response is not always used to do sensitive operations on the client side. It is hard to predict all these cases though.

[almet]

Thanks for opening this issue. I still need to find out how I can do that with the authentication objects of the python-requests library, since they seem to allow the requests to be modified, but do not do anything with the response, from what I've read.

Any insights are welcome!

[kumar303]

I haven't looked at it myself. There must be a way to do this with the standard auth mixin though because I think oauth needs to check response signatures too (iirc).

[Natim]

I think we can easily add an helper to which we could pass the response object for validation.

Something like r.raise_for_hawk_validation() as we have r.raise_for_status()

[kumar303]

My advice is to try and make an interface where the caller gets an exception by default (without extra configuration or additional calls) in case the response signature is invalid. The person writing the calling code will most likely be unaware that they need to check the response signature.