Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HMAC Implementation #622

Closed
rhzs opened this issue Jul 29, 2015 · 2 comments
Closed

HMAC Implementation #622

rhzs opened this issue Jul 29, 2015 · 2 comments

Comments

@rhzs
Copy link

rhzs commented Jul 29, 2015

Hi,

I wonder if there is an example or a support on using HMAC in deployd. I believe it is important in regards to API security feature besides OAuth.

Thanks.
@hjanuschka
Copy link
Contributor

hello

using the current deployd master (for the ONBEFORE REQUEST)
i did a hmac implementation like:

in the ONBEFOREREQUEST on the collection:

var my_hmac=require("my_hmac");

if(!internal) {
     /// SECURE API - only if not called internally
     /// on GET we sign the whole URL including  protocol + domain + uri
     /// sign on the parameter signature_string

     console.log(event);
     var is_valid_hash=false;
     if(event == "POST" || event == "PUT") {
         if(!me) {
            cancel("Login Wrong", 407);
            return;
        }

        //HACKEEDY HACK
        // as we have no traditional post fields
        // convert the inputfield (signature_string) - to a JSON object and set keys on this (wich is used by ONPOST)

        console.log(ctx.req.body);
        is_valid_hash=my_hmac.hash_check(ctx.req.body.signature_string, my_hmac.API_SHARED_SECRET, ctx.req.headers);
        temp=JSON.parse(ctx.req.body.signature_string);

        for (var key in temp) {
            if(temp[key] == "false" ||  temp[key]=="true") {
                temp[key]=Boolean(temp[key]);
            }
            this[key]=temp[key];
        } 

        console.log(this);
        console.log("AAAA");
        //cancel("Login Wrong", 407);
     }
     if(event == "GET" ) {
         is_valid_hash=my_hmac.hash_check("http://" + ctx.req.headers.host + ctx.req.url, my_hmac.API_SHARED_SECRET, ctx.req.headers);
     }


     console.log("@@@@@ " + is_valid_hash + " @@@@");
     if(is_valid_hash !== true) {
        cancel("Signature False1 => " + typeof(is_valid_hash) + "----" + is_valid_hash, 444);
        return;
    }
    /// SECURE API
}

and following file in node_modules/my_hmac/index.js

var crypto = require("crypto-js");
module.exports = {
    API_SHARED_SECRET: "asdasfasdfasfasd",
    hash_check: function(message, key, headers) {
            var hash = crypto.HmacSHA256(message, key);
            var hashInBase64 = crypto.enc.Base64.stringify(hash);
            console.log("hashing:" + message);
            console.log("HASH: " + hashInBase64);
            if(!headers["x-my_hmac-auth"]) return false;
            if(headers["x-my_hmac-auth"] == hashInBase64) {
                console.log("HASH TRUE");
                return true;
            } else {
                console.log("HASH FALSE");
                return false;
            }
    }   
};

to sign a GET request HMAC protocol + domain + uri on client side
to sign a POST/PUT request -> create a json string of your post data, and HMAC this.
post the json string using post-field: signature_string, instead of traditional fields.

send the hmac as a http header named "x-my_hmac-auth"
and you are done, its not perfect, and not 100% secure but it fullfills my requirements.

regards

@rgolea
Copy link
Member

rgolea commented Feb 18, 2016

can we close this issue?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@NicolasRitouet @hjanuschka @rhzs @rgolea