-
Notifications
You must be signed in to change notification settings - Fork 10
/
dynamic-hmac.js
40 lines (29 loc) · 1.31 KB
/
dynamic-hmac.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
const express = require('express')
const router = express.Router()
const log = require('./../utils/logging')
const crypto = require('crypto');
const hmacHelpers = require('./../hmac-functions.js')
const config = require('./../config/server').config
const request = require('./../utils/request')
const response = require('./../utils/response')
router.use(function(req, res, next) {
const log_id = request.log_identifier(req, 'authorization', 'sub', 'dynamic-hmac.js')
log.info('---> VALIDATING DYNAMIC HMAC <---', log_id)
let base64_decoded_hmac_secret = Buffer.from(config.SHIPFAST_API_HMAC_SECRET, 'base64')
// Obfuscate the static secret to produce a dynamic secret to use during HMAC
// verification for this demo stage
let obfuscatedSecretData = base64_decoded_hmac_secret
let shipFastAPIKeyData = new Buffer(config.SHIPFAST_API_KEY)
for (let i = 0; i < Math.min(obfuscatedSecretData.length, shipFastAPIKeyData.length); i++) {
obfuscatedSecretData[i] ^= shipFastAPIKeyData[i]
}
let obfuscatedSecret = new Buffer(obfuscatedSecretData).toString('base64')
hmac = crypto.createHmac('sha256', Buffer.from(obfuscatedSecret, 'base64'))
if (hmacHelpers.isValidHmac(hmac, config, req)) {
next()
return
}
res.status(400).json(response.bad_request(log_id))
return
})
module.exports = router