Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Verifying Signature helper? #96

Open
portokallidis opened this issue Feb 24, 2020 · 5 comments
Open

Verifying Signature helper? #96

portokallidis opened this issue Feb 24, 2020 · 5 comments

Comments

@portokallidis
Copy link

portokallidis commented Feb 24, 2020

Hello and thanks for this!

Does it make sense for this library to provide any additional helper for verifying 1-legged oauth requests?

One simple way is to generate a signed request based on the incoming payload and then compare with the incoming signature. [this works]

But it makes sense to have a more efficient verify method which implements something like this
https://docs.oracle.com/en/cloud/saas/marketing/eloqua-develop/Developers/GettingStarted/Authentication/validating-a-call-signature.htm

@ddo
Copy link
Owner

ddo commented Feb 24, 2020

It's out of this package scope. But really a good idea then, easier for unit tests

@ddo
Copy link
Owner

ddo commented Feb 25, 2020

PR is welcome. make unit test simpler

@portokallidis
Copy link
Author

I ended up using this lib for reconstructing the signature and comparing for verification.
I agree this needs to be a separate package but i currently dont have the time to put the effort.
If you want I can add a verify signature section to the README file for others

@ddo
Copy link
Owner

ddo commented Feb 26, 2020

Can you put it here as text so i can preview. im kinda did not get it yet ty

@portokallidis
Copy link
Author

portokallidis commented Feb 28, 2020

The signature verification makes sense when you try to replicate the "oauth1.0a provider" flow which validates an incoming request

The following is inside an "express" compatible middleware and calls next() if the request is valid

        // This only works for validating specific oauth requests (no oauth_token, only HMAC-sha1 etc)   
        // but it can be adjusted to work with all the oauth params 

        const url = req.origin_url;
	const config = req.org_config;
	if (!config) return next("OAuth configuration does not exist for this APP");

        // extract the oauth data from the body
	const { oauth_signature, ...oauth_data } = req.body;
	
	// Check Timestamp
	const allowed_window = 5*60;
	const maxTimestamp = parseInt(oauth_data.oauth_timestamp)+allowed_window;
	const currentTimestamp = Math.floor(new Date().getTime()/1000);
	const valid = maxTimestamp-currentTimestamp>0;
	if(!valid) return next(401)

	// Initialize
	const oauth = OAuth({
		consumer: {
			key: config.consumer_key,
			secret: config.shared_secret,
		},
		signature_method: 'HMAC-SHA1',
		hash_function(base_string, key) {
			return crypto
				.createHmac('sha1', key)
				.update(base_string)
				.digest('base64')
		},
	});

	const computed = oauth.authorize({
		data: oauth_data,
		url: url,
		method: 'POST'
	});
	
	if (computed.oauth_signature === oauth_signature) {
		next();
	} else next(401)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants