UNPKG

@agnostack/verifyd

Version:

Please contact agnoStack via info@agnostack.com for any questions

github.com/agnostack/verifyd

agnostack/verifyd

1,019 lines (860 loc) • 32.2 kB

JavaScript

/** * MIT License * * Copyright (c) 2021-present agnoStack, Inc. and Adam Grohs * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal * in the Software without restriction, including without limitation the rights * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the Software is * furnished to do so, subject to the following conditions: * * The above copyright notice and this permission notice shall be included in all * copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE * SOFTWARE. */ (function (global, factory) { typeof exports === 'object' && typeof module !== 'undefined' ? factory(exports) : typeof define === 'function' && define.amd ? define(['exports'], factory) : (global = typeof globalThis !== 'undefined' ? globalThis : global || self, factory(global["@agnostack/verifyd/external"] = {})); })(this, (function (exports) { 'use strict'; class PreconditionError extends Error { constructor(message, _data) { super(message); const { code = 412, ...data } = _data ?? {}; this.code = code; this.data = data; this.name = 'PreconditionError'; Object.setPrototypeOf(this, PreconditionError.prototype); } } class VerificationError extends PreconditionError { constructor(message, _data) { const { code = 500, ...data } = _data ?? {}; super(message, { code, ...data}); this.name = 'VerificationError'; Object.setPrototypeOf(this, VerificationError.prototype); } } /* eslint-disable no-use-before-define */ // #region lib-core // TODO!!!: keep in sync between next-shopify and lib-core (AND lib-utils-js at bottom) const REACT_SYMBOL = Symbol.for('react.element'); const isArray = (value) => ( // eslint-disable-next-line eqeqeq (value != undefined) && Array.isArray(value) ); const isSet = (value) => ( // eslint-disable-next-line eqeqeq (value != undefined) && (value instanceof Set) ); const isType = (value, type) => ( // eslint-disable-next-line eqeqeq, valid-typeof (value != undefined) && (typeof value === type) ); const isString = (value) => ( isType(value, 'string') || (value instanceof String) ); const isReact = (value) => ( isType(value, 'object') && (value?.$$typeof === REACT_SYMBOL) ); const isClass = (value) => ( isType(value, 'object') && (Object.getPrototypeOf(value) !== Object.prototype) && !isReact(value) ); const isTypeEnhanced = (value, type) => { switch (true) { case (type === 'boolean'): { return isType(value, type) || ['true', 'false'].includes(value) } case (type === 'string'): { return isString(value) } case (type === 'set'): { return isSet(value) } case (type === 'react'): { return isReact(value) } case (type === 'class'): { return isClass(value) } case (type === 'array'): { return ( isArray(value) && !isSet(value) ) } case (type === 'object'): { return ( isType(value, type) && !isArray(value) && !isClass(value) && !isString(value) && !isReact(value) ) } default: { return isType(value, type) } } }; const safeTrim = (value) => { if (isTypeEnhanced(value, 'string')) { // eslint-disable-next-line no-param-reassign value = value.trim(); } return value }; const isParseable = (value, trim, matchQuoted) => { if (!isTypeEnhanced(value, 'string')) { return false } if (trim) { // eslint-disable-next-line no-param-reassign value = safeTrim(value); } return isTrue(value.startsWith('{') || value.startsWith('[') || (matchQuoted && value.startsWith('"'))) }; const safeParse = (value, trim) => { switch (true) { case isTypeEnhanced(value, 'object'): case isTypeEnhanced(value, 'array'): { return value } case isParseable(value, trim, true): { if (trim) { // eslint-disable-next-line no-param-reassign value = safeTrim(value); } try { return JSON.parse(value) } catch (_ignore) { console.info('Ignoring error parsing', _ignore); // TODO: should this be value ?? {} return value } } default: { // TODO: should this be value ?? {} return value } } }; const ensureString = (string) => ( string ? `${string}` : '' ); const ensureArray = (array = []) => ( // eslint-disable-next-line no-nested-ternary !array ? [] : Array.isArray(array) ? array : [array] ); const ensureObject = (object) => ( object ?? {} ); // NOTE: this does not ensure !isType(string) const objectEmpty = (object) => ( !object || !Object.keys(object).length ); const stringNotEmpty = (stringable) => { const string = ensureString(stringable); return ((string.length > 0) && !['null', 'undefined'].includes(string)) }; const stringEmpty = (stringable) => ( !stringNotEmpty(stringable) ); const compareString = (string1, string2) => { if (stringEmpty(string1)) { return 1 } if (stringEmpty(string2)) { return -1 } return ensureString(string1).localeCompare(string2) }; const compareEntryKeys = ([string1], [string2]) => ( compareString(string1, string2) ); const objectToSortedString = (object, separator = '') => ( Object.entries(ensureObject(object)) .sort(compareEntryKeys) .map(([key, value]) => `${key}=${value}`) .join(separator) ); const uppercase = (string) => ( ensureString(string).toUpperCase() ); const lowercase = (string, defaultValue = '') => ( !stringNotEmpty(string) ? defaultValue : ensureString(string).toLowerCase() ); const removeLeadingSlash = (string) => ( ensureString(string).replace(/^\//, '') ); const ensureLeadingSlash = (string) => ( `/${removeLeadingSlash(string)}` ); const isTrue = (value, falsy) => { const string = ensureString(value); return ![...ensureArray(falsy), '', 'false'].includes(string) }; // #endregion lib-utils-js var n,r=((n=function(){return r}).toString=n.toLocaleString=n[Symbol.toPrimitive]=function(){return ""},n.valueOf=function(){return !1},new Proxy(Object.freeze(n),{get:function(n,t){return n.hasOwnProperty(t)?n[t]:r}})),u=function(n){return n===r}; let win = global.window; let exists = (variable) => !u(variable); let window = typeof win !== "undefined" ? win : r; class WebCrypto { constructor({ crypto: _crypto, util: _util } = {}) { this._crypto = _crypto ?? {}; this._util = _util ?? {}; } get subtle() { return this._crypto?.subtle } async getWebCrypto() { if (!this._crypto?.subtle) { try { this._crypto = (await import('isomorphic-webcrypto')).default; } catch (_ignore) { console.info('Failed to import isomorphic-webcrypto, retrying w/ node crypto'); try { this._crypto = (await import('crypto')).default; } catch (error) { // eslint-disable-next-line max-len console.error(`Failed to import node crypto, ensure 'isomorphic-webcrypto' (or node 'crypto') is installed and/or pass in implementation via 'new WebCrypto({ crypto })'`); throw error } } } if (!this._crypto?.subtle) { throw new Error('Invalid crypto, missing subtle') } return this._crypto } async getTextDecoder() { if (this._util?.TextDecoder) { return this._util.TextDecoder } if (exists(window) && typeof window?.TextDecoder === 'function') { return window.TextDecoder } try { const TextDecoder = (await import('util')).TextDecoder; this._util.TextDecoder = TextDecoder; return TextDecoder } catch (error) { console.error(`Failed to import 'utils.TextDecoder', ensure 'util' is available and/or pass in implementation via 'new WebCrypto({ util })'`); throw error } } async getTextEncoder() { if (this._util?.TextEncoder) { return this._util.TextEncoder } if (exists(window) && typeof window?.TextEncoder === 'function') { return window.TextEncoder } try { const TextEncoder = (await import('util')).TextEncoder; this._util.TextEncoder = TextEncoder; return TextEncoder } catch (error) { console.error(`Failed to import 'utils.TextEncoder', ensure 'util' is available and/or pass in implementation via 'new WebCrypto({ util })'`); throw error } } timingSafeEqual(value1, value2) { if ( (value1 == undefined) || (value2 == undefined) || (value1.length !== value2.length) ) { return false } let result = 0; // eslint-disable-next-line no-plusplus for (let i = 0; i < value1.length; i++) { // eslint-disable-next-line no-bitwise result |= value1[i] ^ value2[i]; } return (result === 0) } stringToHex(stringValue) { return ( Array.from(ensureString(stringValue), (char) => ( char.charCodeAt(0).toString(16).padStart(2, '0') )).join('') ) } hexToString(hexValue) { return ( ensureArray( ensureString(hexValue).match(/.{1,2}/g) ) .map((byte) => String.fromCharCode(parseInt(byte, 16))) .join('') ) } async arrayBufferToString(arrayBuffer) { const uint8Array = new Uint8Array(arrayBuffer); const Decoder = await this.getTextDecoder(); return new Decoder().decode(uint8Array) } arrayToArrayBuffer(array) { return ( (ArrayBuffer.from != undefined) ? ArrayBuffer.from(array) : new Uint8Array(array).buffer ) } ensureArrayBuffer(arrayOrArrayBuffer) { return ( (arrayOrArrayBuffer instanceof ArrayBuffer) ? arrayOrArrayBuffer : this.arrayToArrayBuffer(arrayOrArrayBuffer) ) } getKeyOperations(keyType) { switch (keyType) { case 'paired': case 'private': case 'privateKey': { return ['deriveKey'] } case 'secret': case 'secretKey': case 'sharedSecret': { return ['encrypt', 'decrypt'] } default: { return [] } } } getKeyAlgorythm(keyType) { switch (keyType) { case 'derivedKey': case 'derived': case 'secret': case 'secretKey': case 'sharedSecret': { return { name: 'AES-GCM', } } default: { return { name: 'ECDH', namedCurve: 'P-256', } } } } async generateKeyPair() { const crypto = await this.getWebCrypto(); const keyPair = await crypto.subtle.generateKey( this.getKeyAlgorythm('paired'), true, this.getKeyOperations('paired') ); return keyPair } async generateSharedSecret() { const crypto = await this.getWebCrypto(); const keyPair = await crypto.subtle.generateKey( this.getKeyAlgorythm('sharedSecret'), true, this.getKeyOperations('sharedSecret') ); return keyPair } async generateHMAC(message, derivedKey) { if (!message || !derivedKey) { return undefined } const crypto = await this.getWebCrypto(); const Encoder = await this.getTextEncoder(); const signature = await crypto.subtle.sign( 'HMAC', derivedKey, new Encoder().encode(message) ); return this.stringToHex( this.arrayBufferToString(signature) ) } async verifyHMAC(message, derivedKey, verifiableHMAC) { const calculatedHMAC = await this.generateHMAC(message, derivedKey); return this.timingSafeEqual(calculatedHMAC, verifiableHMAC) } async getStorableKey(key) { const crypto = await this.getWebCrypto(); const exportedJWK = await crypto.subtle.exportKey('jwk', key); return this.stringToHex(JSON.stringify(exportedJWK)) } async restoreStorableKey(keyType, storableHex) { if (!storableHex) { return undefined } const crypto = await this.getWebCrypto(); const exportedJWK = JSON.parse(this.hexToString(storableHex) || '{}'); if (objectEmpty(exportedJWK)) { return undefined } return crypto.subtle.importKey( 'jwk', exportedJWK, this.getKeyAlgorythm(keyType), true, this.getKeyOperations(keyType) ) } async getStorableKeyPair(keyPair) { const storableKeys = {}; // eslint-disable-next-line no-restricted-syntax for (const [keyType, key] of Object.entries(keyPair)) { // eslint-disable-next-line no-await-in-loop storableKeys[keyType] = await this.getStorableKey(key); } return storableKeys } async restoreStorableKeyPair(keyPair) { const restoredKeys = {}; // eslint-disable-next-line no-restricted-syntax for (const [keyType, key] of Object.entries(keyPair)) { // eslint-disable-next-line no-await-in-loop restoredKeys[keyType] = await this.restoreStorableKey(keyType, key); } return restoredKeys } async deriveSharedKey({ publicKey, privateKey }) { if (!publicKey || !privateKey) { return undefined } const crypto = await this.getWebCrypto(); const derivedKey = await crypto.subtle.deriveKey( { name: 'ECDH', public: publicKey, }, privateKey, { name: 'AES-GCM', length: 256, }, true, ['encrypt', 'decrypt'] ); return derivedKey } async deriveHMACKey({ publicKey, privateKey }) { if (!publicKey || !privateKey) { return undefined } const crypto = await this.getWebCrypto(); const derivedKey = await crypto.subtle.deriveKey( { name: 'ECDH', public: publicKey, }, privateKey, { name: 'HMAC', hash: { name: 'SHA-256' }, length: 256, // Adjusted key length, e.g., 128 bits }, true, ['sign', 'verify'] ); return derivedKey } async getVerificationKeys({ publicKey, privateKey }) { if (!publicKey || !privateKey) { return {} } const sharedKeyPair = await this.restoreStorableKeyPair({ publicKey, privateKey }); const derivedHMACKey = await this.deriveHMACKey(sharedKeyPair); const derivedSecretKey = await this.deriveSharedKey(sharedKeyPair); return { derivedSecretKey, derivedHMACKey, } } async encryptMessage(decryptedMessage, derivedKey) { if (!decryptedMessage || !derivedKey) { return undefined } const crypto = await this.getWebCrypto(); const iv = crypto.getRandomValues(new Uint8Array(12)); const Encoder = await this.getTextEncoder(); const encodedMessage = new Encoder().encode(decryptedMessage); const ciphertext = await crypto.subtle.encrypt( { name: 'AES-GCM', iv, }, derivedKey, encodedMessage ); const encryptedMessage = new Uint8Array([ ...iv, ...new Uint8Array(ciphertext) ]); return Array.from(encryptedMessage) } async decryptMessage(encryptedMessage, derivedKey) { if (!encryptedMessage || !derivedKey) { return undefined } const crypto = await this.getWebCrypto(); // NOTE: this presumed an array or arrayBuffer coming in as encryptedMessage (will fail w/ IV error if its a string) const encryptedArrayBuffer = this.ensureArrayBuffer(encryptedMessage); const iv = encryptedArrayBuffer.slice(0, 12); const ciphertext = encryptedArrayBuffer.slice(12); const decryptedArrayBuffer = await crypto.subtle.decrypt( { name: 'AES-GCM', iv, }, derivedKey, ciphertext ); const Decoder = await this.getTextDecoder(); const decryptedMessage = new Decoder().decode(decryptedArrayBuffer); return decryptedMessage } } const getAuthorizationHelpers = async (sharedSecret, { crypto: _crypto, util: _util } = {}) => { if (stringEmpty(sharedSecret)) { return undefined } const webCrypto = new WebCrypto({ crypto: _crypto, util: _util }); const sharedKey = await webCrypto.restoreStorableKey( 'sharedSecret', sharedSecret ); return { encrypt: async (decryptedMessage) => ( webCrypto.encryptMessage(decryptedMessage, sharedKey) ), decrypt: async (encryptedMessage) => ( webCrypto.decryptMessage(encryptedMessage, sharedKey) ), } }; const TEMP_HOSTNAME = 'xyz.com'; const REMOVABLE_KEYS = ['shop', 'host']; const VERIFYD_HEADERS = { PUBLIC_KEY: 'X-Public-Key', EPHEMERAL_KEY: 'X-Ephemeral-Key', AUTHORIZATION: 'X-Authorization', AUTHORIZATION_TIMESTAMP: 'X-Authorization-Timestamp', }; const CONTENT_TYPE_HEADER = 'Content-Type'; const CONTENT_TYPES = { APPLICATION_JSON: 'application/json', }; const getRequestMethod = (body, _method) => { const method = _method ?? (body ? 'POST' : 'GET'); return uppercase(method) }; const prepareRequestOptions = ({ method: _method, body: _body, headers: _headers, ...requestOptions } = {}) => { const method = getRequestMethod(_body, _method); const _contentType = _headers?.[CONTENT_TYPE_HEADER.toLowerCase()]; const headers = { [CONTENT_TYPE_HEADER]: _contentType || CONTENT_TYPES.APPLICATION_JSON, ..._headers, }; let body = _body; if (body && headers[CONTENT_TYPE_HEADER].startsWith(CONTENT_TYPES.APPLICATION_JSON)) { body = JSON.stringify(safeParse(body)); } return { method, headers, ...(body && (method !== 'GET')) && { body }, ...requestOptions, } }; const convertToURL = (uri) => { if (stringEmpty(uri)) { return undefined } const protocolRegex = /^(https?:\/\/).+/i; if (!protocolRegex.test(uri)) { return new URL(`https://${TEMP_HOSTNAME}${ensureLeadingSlash(uri)}`) } return new URL(uri) }; const normalizeURIParts = (uri) => { const urlObject = convertToURL(uri); if (!urlObject) { return undefined } REMOVABLE_KEYS.forEach((key) => urlObject.searchParams.delete(key)); return { ...(urlObject.hostname !== TEMP_HOSTNAME) && { origin: urlObject.origin, }, pathname: urlObject.pathname, search: urlObject.search, } }; const getUnixString = () => { const currentDate = new Date(); const unixTimestamp = currentDate.getTime(); return Math.floor(unixTimestamp / 1000).toString() }; const getVerificationKeysData = async (publicKey, { crypto: _crypto, util: _util } = {}) => { if (stringEmpty(publicKey)) { return {} } const webCrypto = new WebCrypto({ crypto: _crypto, util: _util }); const _ephemeralStoreableKeyPair = await webCrypto.getStorableKeyPair( await webCrypto.generateKeyPair() ); const _verificationKeyPair = await webCrypto.getVerificationKeys({ publicKey, privateKey: _ephemeralStoreableKeyPair.privateKey, }); return { publicKey, ephemeral: _ephemeralStoreableKeyPair, verification: _verificationKeyPair, } }; // eslint-disable-next-line arrow-body-style const prepareVerificationRequest = ({ keysData: _keysData, disableRecryption: _disableRecryption, crypto: _crypto, util: _util } = {}) => { const webCrypto = new WebCrypto({ crypto: _crypto, util: _util }); const disableRecryption = isTrue(_disableRecryption); return async (requestPath, { method: rawMethod, body: rawBody, headers: rawHeaders, ...requestOptions } = {}) => { let parsedBody = safeParse(rawBody); const method = getRequestMethod(parsedBody, rawMethod); if (disableRecryption || stringEmpty(_keysData?.publicKey)) { return [ requestPath, prepareRequestOptions({ method, body: parsedBody, headers: rawHeaders, ...requestOptions, }) ] } const { verification: { derivedHMACKey, derivedSecretKey, } = {}, ephemeral: { publicKey: ephemeralPublicKey, } = {}, } = _keysData ?? {}; if (!derivedHMACKey || !ephemeralPublicKey) { return undefined } if (parsedBody && derivedSecretKey) { parsedBody = await webCrypto.encryptMessage(JSON.stringify(parsedBody), derivedSecretKey); } const timestamp = getUnixString(); const computedHMAC = await webCrypto.generateHMAC( objectToSortedString({ body: parsedBody, method, timestamp, ...normalizeURIParts(requestPath), }), derivedHMACKey ); return [ requestPath, prepareRequestOptions({ method, body: parsedBody, headers: { 'X-Authorization': `HMAC-SHA256 ${computedHMAC}`, 'X-Authorization-Timestamp': timestamp, 'X-Ephemeral-Key': ephemeralPublicKey, 'X-Public-Key': _keysData.publicKey, ...rawHeaders, }, ...requestOptions, }), derivedSecretKey ] } }; const processVerificationResponse = ({ keysData, disableRecryption: _disableRecryption, crypto: _crypto, util: _util } = {}) => { const webCrypto = new WebCrypto({ crypto: _crypto, util: _util }); const disableRecryption = isTrue(_disableRecryption); return async (encryptedResponse, _derivedSecretKey) => { const derivedSecretKey = _derivedSecretKey ?? keysData.verification?.derivedSecretKey; if (disableRecryption || !encryptedResponse || !derivedSecretKey) { return encryptedResponse } try { const decryptedMessage = await webCrypto.decryptMessage(encryptedResponse, derivedSecretKey); return safeParse(decryptedMessage) } catch { throw new VerificationError('Error decrypting response', { code: 400 }) } } }; const getChunkedRawBody = async (req) => { if (req?.rawBody) { return req.rawBody } // TODO: move to req.text() after next 13.5: https://github.com/vercel/next.js/discussions/13405 try { const _getRawBody = (await import('raw-body')).default; if (!req.method || (lowercase(req.method) === 'get')) { return undefined } return _getRawBody(req).then((_rawBody) => _rawBody?.toString()) } catch (error) { console.error(`Failed to import 'raw-body', please ensure the dependency is installed`); throw error } }; // TODO: explore returning mutated request object adding on req.rawBody?? const ensureRawBody = async (req) => ( getChunkedRawBody(req) .catch((error) => { console.error(`Error getting raw body for '${req?.url}'`, error); throw error }) ); /****************************************************************************** Copyright (c) Microsoft Corporation. Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted. THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ***************************************************************************** */ function __awaiter(thisArg, _arguments, P, generator) { function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); } return new (P || (P = Promise))(function (resolve, reject) { function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } } function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } } function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); } step((generator = generator.apply(thisArg, _arguments || [])).next()); }); } typeof SuppressedError === "function" ? SuppressedError : function (error, suppressed, message) { var e = new Error(message); return e.name = "SuppressedError", e.error = error, e.suppressed = suppressed, e; }; const generateStorableKeyPairs = (...args_1) => __awaiter(void 0, [...args_1], void 0, function* ({ crypto: _crypto, util: _util } = {}) { const webCrypto = new WebCrypto({ crypto: _crypto, util: _util }); const sharedKeyPair = yield webCrypto.generateKeyPair(); return webCrypto.getStorableKeyPair({ publicKey: sharedKeyPair.publicKey, privateKey: sharedKeyPair.privateKey, }); }); const getVerificationHelpers = ({ keyPairs, util: _util, crypto: _crypto, DISABLE_RECRYPTION, } = { keyPairs: {} }) => { const webCrypto = new WebCrypto({ crypto: _crypto, util: _util }); return (req, params) => __awaiter(void 0, void 0, void 0, function* () { var _a; const { [VERIFYD_HEADERS.PUBLIC_KEY]: _apiKey, [VERIFYD_HEADERS.PUBLIC_KEY.toLowerCase()]: apiKey = _apiKey, [VERIFYD_HEADERS.EPHEMERAL_KEY]: _ephemeralPublicKey, [VERIFYD_HEADERS.EPHEMERAL_KEY.toLowerCase()]: ephemeralPublicKey = _ephemeralPublicKey, [VERIFYD_HEADERS.AUTHORIZATION_TIMESTAMP]: _customAuthTimestamp, [VERIFYD_HEADERS.AUTHORIZATION_TIMESTAMP.toLowerCase()]: customAuthTimestamp = _customAuthTimestamp, [VERIFYD_HEADERS.AUTHORIZATION]: _customAuth, [VERIFYD_HEADERS.AUTHORIZATION.toLowerCase()]: customAuth = _customAuth, } = (_a = req.headers) !== null && _a !== void 0 ? _a : {}; const { uri: _uri, disableRecryption: _disableRecryption } = params !== null && params !== void 0 ? params : {}; const uri = _uri !== null && _uri !== void 0 ? _uri : req.url; const disableRecryption = isTrue(DISABLE_RECRYPTION) || isTrue(_disableRecryption); let isVerifiable = false; try { const [authProtocol, authSignature] = ensureString(customAuth).split(' '); isVerifiable = isTrue(apiKey && ephemeralPublicKey && customAuthTimestamp && authSignature && (authProtocol === 'HMAC-SHA256') && (keyPairs === null || keyPairs === void 0 ? void 0 : keyPairs.shared)); let verificationKeys; const rawBody = yield ensureRawBody(req); // NOTE: requestBody should be wind up decrypted when isVerifiable (unless disableRecryption, then will pass through) let requestBody = safeParse(rawBody); // TEMP!!! remove isVerifiable check once web widget moved to react if (isVerifiable) { if (!apiKey || !ephemeralPublicKey || !customAuthTimestamp || !authSignature || (authProtocol !== 'HMAC-SHA256') || !(keyPairs === null || keyPairs === void 0 ? void 0 : keyPairs.shared) || (apiKey !== keyPairs.shared.publicKey)) { throw new VerificationError('Invalid or missing authorization', { code: 401 }); } verificationKeys = yield webCrypto.getVerificationKeys({ publicKey: ephemeralPublicKey, privateKey: keyPairs.shared.privateKey, }); if (!verificationKeys) { throw new VerificationError('Invalid or missing verification', { code: 412 }); } const verificationPayload = objectToSortedString(Object.assign({ method: getRequestMethod(rawBody, req.method), timestamp: customAuthTimestamp, body: requestBody }, normalizeURIParts(uri))); const isValid = yield webCrypto.verifyHMAC(verificationPayload, verificationKeys.derivedHMACKey, authSignature); if (!isValid) { throw new VerificationError('Invalid or missing verification', { code: 403 }); } if (!disableRecryption && requestBody) { try { const decryptedMessage = yield webCrypto.decryptMessage(requestBody, verificationKeys.derivedSecretKey); requestBody = safeParse(decryptedMessage); } catch (_b) { throw new VerificationError('Error decrypting request', { code: 400 }); } } } const processResponse = (response) => __awaiter(void 0, void 0, void 0, function* () { if (disableRecryption || !response || !isVerifiable || !(verificationKeys === null || verificationKeys === void 0 ? void 0 : verificationKeys.derivedSecretKey)) { return response; } return webCrypto.encryptMessage(JSON.stringify(response), verificationKeys.derivedSecretKey); }); return { rawBody, requestBody, processResponse }; } catch (error) { console.error(`Error handling request verification for '${uri}'`, { error, isVerifiable, disableRecryption, }); throw error; } }); }; exports.CONTENT_TYPES = CONTENT_TYPES; exports.PreconditionError = PreconditionError; exports.VERIFYD_HEADERS = VERIFYD_HEADERS; exports.VerificationError = VerificationError; exports.WebCrypto = WebCrypto; exports.ensureRawBody = ensureRawBody; exports.generateStorableKeyPairs = generateStorableKeyPairs; exports.getAuthorizationHelpers = getAuthorizationHelpers; exports.getRequestMethod = getRequestMethod; exports.getVerificationHelpers = getVerificationHelpers; exports.getVerificationKeysData = getVerificationKeysData; exports.normalizeURIParts = normalizeURIParts; exports.prepareRequestOptions = prepareRequestOptions; exports.prepareVerificationRequest = prepareVerificationRequest; exports.processVerificationResponse = processVerificationResponse; Object.defineProperty(exports, '__esModule', { value: true }); })); //# sourceMappingURL=index.js.map