UNPKG

@agnostack/verifyd

Version:

Please contact agnoStack via info@agnostack.com for any questions

github.com/agnostack/verifyd

agnostack/verifyd

100 lines 6.51 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
"use strict"; var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) { function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } return new (P || (P = Promise))(function (resolve, reject) { function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } step((generator = generator.apply(thisArg, _arguments || [])).next()); }); }; Object.defineProperty(exports, "__esModule", { value: true }); exports.getVerificationHelpers = exports.generateStorableKeyPairs = void 0; const display_1 = require("../shared/display"); const request_1 = require("../shared/request"); const errors_1 = require("../shared/errors"); const WebCrypto_1 = require("../shared/WebCrypto"); const utils_1 = require("./utils"); const generateStorableKeyPairs = (...args_1) => __awaiter(void 0, [...args_1], void 0, function* ({ crypto: _crypto, util: _util } = {}) { const webCrypto = new WebCrypto_1.WebCrypto({ crypto: _crypto, util: _util }); const sharedKeyPair = yield webCrypto.generateKeyPair(); return webCrypto.getStorableKeyPair({ publicKey: sharedKeyPair.publicKey, privateKey: sharedKeyPair.privateKey, }); }); exports.generateStorableKeyPairs = generateStorableKeyPairs; const getVerificationHelpers = ({ keyPairs, util: _util, crypto: _crypto, DISABLE_RECRYPTION, } = { keyPairs: {} }) => { const webCrypto = new WebCrypto_1.WebCrypto({ crypto: _crypto, util: _util }); return (req, params) => __awaiter(void 0, void 0, void 0, function* () { var _a; const { [request_1.VERIFYD_HEADERS.PUBLIC_KEY]: _apiKey, [request_1.VERIFYD_HEADERS.PUBLIC_KEY.toLowerCase()]: apiKey = _apiKey, [request_1.VERIFYD_HEADERS.EPHEMERAL_KEY]: _ephemeralPublicKey, [request_1.VERIFYD_HEADERS.EPHEMERAL_KEY.toLowerCase()]: ephemeralPublicKey = _ephemeralPublicKey, [request_1.VERIFYD_HEADERS.AUTHORIZATION_TIMESTAMP]: _customAuthTimestamp, [request_1.VERIFYD_HEADERS.AUTHORIZATION_TIMESTAMP.toLowerCase()]: customAuthTimestamp = _customAuthTimestamp, [request_1.VERIFYD_HEADERS.AUTHORIZATION]: _customAuth, [request_1.VERIFYD_HEADERS.AUTHORIZATION.toLowerCase()]: customAuth = _customAuth, } = (_a = req.headers) !== null && _a !== void 0 ? _a : {}; const { uri: _uri, disableRecryption: _disableRecryption } = params !== null && params !== void 0 ? params : {}; const uri = _uri !== null && _uri !== void 0 ? _uri : req.url; const disableRecryption = (0, display_1.isTrue)(DISABLE_RECRYPTION) || (0, display_1.isTrue)(_disableRecryption); let isVerifiable = false; try { const [authProtocol, authSignature] = (0, display_1.ensureString)(customAuth).split(' '); isVerifiable = (0, display_1.isTrue)(apiKey && ephemeralPublicKey && customAuthTimestamp && authSignature && (authProtocol === 'HMAC-SHA256') && (keyPairs === null || keyPairs === void 0 ? void 0 : keyPairs.shared)); let verificationKeys; const rawBody = yield (0, utils_1.ensureRawBody)(req); // NOTE: requestBody should be wind up decrypted when isVerifiable (unless disableRecryption, then will pass through) let requestBody = (0, display_1.safeParse)(rawBody); // TEMP!!! remove isVerifiable check once web widget moved to react if (isVerifiable) { if (!apiKey || !ephemeralPublicKey || !customAuthTimestamp || !authSignature || (authProtocol !== 'HMAC-SHA256') || !(keyPairs === null || keyPairs === void 0 ? void 0 : keyPairs.shared) || (apiKey !== keyPairs.shared.publicKey)) { throw new errors_1.VerificationError('Invalid or missing authorization', { code: 401 }); } verificationKeys = yield webCrypto.getVerificationKeys({ publicKey: ephemeralPublicKey, privateKey: keyPairs.shared.privateKey, }); if (!verificationKeys) { throw new errors_1.VerificationError('Invalid or missing verification', { code: 412 }); } const verificationPayload = (0, display_1.objectToSortedString)(Object.assign({ method: (0, request_1.getRequestMethod)(rawBody, req.method), timestamp: customAuthTimestamp, body: requestBody }, (0, request_1.normalizeURIParts)(uri))); const isValid = yield webCrypto.verifyHMAC(verificationPayload, verificationKeys.derivedHMACKey, authSignature); if (!isValid) { throw new errors_1.VerificationError('Invalid or missing verification', { code: 403 }); } if (!disableRecryption && requestBody) { try { const decryptedMessage = yield webCrypto.decryptMessage(requestBody, verificationKeys.derivedSecretKey); requestBody = (0, display_1.safeParse)(decryptedMessage); } catch (_b) { throw new errors_1.VerificationError('Error decrypting request', { code: 400 }); } } } const processResponse = (response) => __awaiter(void 0, void 0, void 0, function* () { if (disableRecryption || !response || !isVerifiable || !(verificationKeys === null || verificationKeys === void 0 ? void 0 : verificationKeys.derivedSecretKey)) { return response; } return webCrypto.encryptMessage(JSON.stringify(response), verificationKeys.derivedSecretKey); }); return { rawBody, requestBody, processResponse }; } catch (error) { console.error(`Error handling request verification for '${uri}'`, { error, isVerifiable, disableRecryption, }); throw error; } }); }; exports.getVerificationHelpers = getVerificationHelpers; //# sourceMappingURL=verification.js.map