feat: 检验请求签名

bangbang93 · Jan 30, 2024 · fff774d · fff774d
1 parent 91e2fc8
commit fff774d
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/src/cluster.ts b/src/cluster.ts
@@ -24,7 +24,7 @@ import {Tail} from 'tail'
 import {fileURLToPath} from 'url'
 import {validateFile} from './file.js'
 import MeasureRoute from './measure.route.js'
-import {hashToFilename} from './util.js'
+import {checkSign, hashToFilename} from './util.js'
 
 interface IFileList {
   files: {path: string; hash: string; size: number}[]
@@ -161,6 +161,11 @@ export class Cluster {
     app.get('/download/:hash(\\w+)', async (req: Request, res: Response, next: NextFunction) => {
       try {
         const hash = req.params.hash.toLowerCase()
+        const signValid = checkSign(hash, this.clusterSecret, req.query as NodeJS.Dict<string>)
+        if (!signValid) {
+          return res.status(403).send('invalid sign')
+        }
+
         const path = join(this.cacheDir, hashToFilename(hash))
         if (!await fse.pathExists(path)) {
           await this.downloadFile(hash)

diff --git a/src/util.ts b/src/util.ts
@@ -1,6 +1,19 @@
+import {createHash} from 'crypto'
 import {join} from 'path'
 
 export function hashToFilename(hash: string): string {
   // eslint-disable-next-line @typescript-eslint/no-magic-numbers
   return join(hash.substring(0, 2), hash)
 }
+
+export function checkSign(hash: string, secret: string, query: NodeJS.Dict<string>): boolean {
+  const {s, e} = query
+  if (!s || !e) return false
+  const sha1 = createHash('sha1')
+  const toSign = [secret, hash, e]
+  for (const str of toSign) {
+    sha1.update(str)
+  }
+  const sign = sha1.digest('base64url')
+  return sign === s && Date.now() < parseInt(e, 36)
+}