Add function to sign responses

[adamlwgriffiths]

Responses should also be signed in a similar way to the requests so that client's can verify they are talking to the correct server.

Compromise of a server itself would mean the secret is compromised and therefore all communication is compromised.
But it is possible that a domain is hijacked instead.

In this case, the server can simply accept all messages it receives, then send malicious messages back which a client will blindly accept and act upon.

[kjg]

This would be a great addition to api-auth. Unfortunately I don't have the time to tackle this feature right now, but I totally encourage someone to pick this up and I'd happily work with that person to get a PR for this merged.

[fwininger]

Interesting feature !

However I think that the purpose of ApiAuth is more to authenticate a Client with HMAC, like User/Password, or Security Token. If you need advance feature to block MITM attack (like domain hijacking), I think a better way is to use HTTPS over ApiAuth.

HTTPS is a common technique to secure an HTTP stream. The only point that is not covered is the authentication of a client. What is done with ApiAuth.

[fwininger]

Finally, I need this feature too for one project. So I try to do a PR for July.