Neolithic Psychedelic Mushrooms

    api-signature

    0.2.11 • Public • Published

    api-signature

    Express/Restify middleware to authenticate HTTP requests based on api key and signature.

    npm version codebeat badge Build Status codecov Greenkeeper badge

    Installation

    $ npm install --save api-signature
    

    Usage

    This middleware authenticates callers using an api key and the signature of the request. If the api key and the signature are valid, req.credentials will be set with the calling application information.

    Example

    This basic usage example should help you get started :

    const express = require('express');
    const request = require('request');
    const apiSignature = require('api-signature');
    const crypto = require("crypto");
    const app = express();
    
    // Create the collection of api keys
    const apiKeys = new Map();
    apiKeys.set('123456789', {
      id: 1,
      name: 'app1',
      secret: 'secret1'
    });
    apiKeys.set('987654321', {
      id: 2,
      name: 'app2',
      secret: 'secret2'
    });
    class Signer{
        constructor(apiKey, apiSecret){
            this.apiKey = apiKey;
            this.apiSecret = apiSecret;
        }
        signHeaders(){
            const headers = {};
            if (this.apiKey  && this.apiKey){
                const date = new Date().toUTCString();
                headers.Authorization = this.sign(date);
                headers.date = date;
            }
            return headers;
        }
        encrypt(data){
            const hash = crypto.createHmac("sha256",this.apiSecret).update(data).digest();
            //to lowercase hexits
            return hash
        }
        sign(date){
            const signature = Buffer.from(this.encrypt(`date: ${date}`)).toString("base64");
            console.log(date, signature);
            return `Signature keyId="${this.apiKey}",algorithm="hmac-sha256",signature="${signature}"`;
        }
    }
    
    // Your function to get the secret associated to the key id
    function getSecret(keyId, done) {
      if (!apiKeys.has(keyId)) {
        return done(new Error('Unknown api key'));
      }
      const clientApp = apiKeys.get(keyId);
      done(null, clientApp.secret, {
        id: clientApp.id,
        name: clientApp.name
      });
    }
    
    app.get('/unprotected', async (req, res) => {
      const signer = new Signer('123456789',apiKeys.get('123456789').secret);
      const response = await request.post(
          "http://localhost:8080/protected",{
            headers: signer.signHeaders(),
          }
      );
      console.log("Success");
      response.pipe(res);
    });
    app.post('/protected',apiSignature({ getSecret }),async (req, res) => {
      console.log("i got here");
      res.send(`Hello ${req.credentials.name}`);
    });
    app.listen(8080);

    API

    apiSignature(options)

    Create an api key based authentication middleware function using the given options :

    Name Type Default Description
    getSecret Function - Invoked to retrieve the secret from the keyId
    requestProperty String 'credentials' The request property to attach the information
    requestLifetime `Number null` 300
    requiredHeaders `String[] null` ['date']

    options.getSecret (REQUIRED)

    A function with signature function(keyId, done) to be invoked to retrieve the secret from the keyId.

    • keyId (String) - The api key used to retrieve the secret.

    • done (Function) - A function with signature function(err, secret, credentials) to be invoked when the secret is retrieved.

      • err (Error) - The error that occurred.
      • secret (String) - The secret to use to verify the signature.
      • credentials (Object) - req.credentials will be set with this object.

    options.requestProperty (OPTIONAL)

    By default, you can attach information about the client application on req.credentials but can be configured with the requestProperty option.

    options.requestLifetime (OPTIONAL)

    The lifetime of a request in second, by default is set to 300 seconds, set it to null to disable it. This options is used if HTTP header "date" is used to create the signature.

    options.requiredHeaders (OPTIONAL)

    The header that must be present in request signature example could be Signature keyId="${this.apiKey}",headers="(request-target) host date",algorithm="hmac-sha256",signature="${signature}" apiSignature({ getSecret, requiredHeaders:['date','host','(request-target)']})

    const express = require("express");
    const request = require("request");
    const apiSignature = require("api-signature");
    const crypto = require("crypto");
    const app = express();
    
    // Create the collection of api keys
    const apiKeys = new Map();
    apiKeys.set("123456789", {
      id: 1,
      name: "app1",
      secret: "secret1",
    });
    apiKeys.set("987654321", {
      id: 2,
      name: "app2",
      secret: "secret2",
    });
    class Signer {
      constructor(apiKey, apiSecret) {
        this.apiKey = apiKey;
        this.apiSecret = apiSecret;
      }
      signHeaders(data) {
        const headers = {};
        if (this.apiKey && this.apiKey) {
          const date = new Date().toUTCString();
          headers.Authorization = this.sign({ ...data, date });
          headers.date = date;
        }
        return headers;
      }
      encrypt(data) {
        const hash = crypto
          .createHmac("sha256", this.apiSecret)
          .update(data)
          .digest();
        //to lowercase hexits
        return hash;
      }
      sign(data = {}) {
        const signature = Buffer.from(
          this.encrypt(
            Object.entries(data)
              .map(([k, v]) => `${k}: ${v}`)
              .join("\n")
          )
        ).toString("base64");
        console.log(data.date, signature);
        return `Signature keyId="${
          this.apiKey
        }",algorithm="hmac-sha256",headers="${Object.keys(data).join(
          " "
        )}",signature="${signature}"`;
      }
    }
    
    // Your function to get the secret associated to the key id
    function getSecret(keyId, done) {
      if (!apiKeys.has(keyId)) {
        return done(new Error("Unknown api key"));
      }
      const clientApp = apiKeys.get(keyId);
      done(null, clientApp.secret, {
        id: clientApp.id,
        name: clientApp.name,
      });
    }
    
    app.get("/unprotected", async (req, res) => {
      const signer = new Signer("123456789", apiKeys.get("123456789").secret);
      const response = await request.post("http://localhost:8080/protected", {
        headers: {
          ...signer.signHeaders({
            "(request-target)": "post /protected",
            host: "http://localhost",
          }),
          host: "http://localhost",
        },
      });
      console.log("Success");
      response.pipe(res);
    });
    app.post(
      "/protected",
      apiSignature({
        getSecret,
        requiredHeaders: ["date", "host", "(request-target)"],
      }),
      async (req, res) => {
        console.log("i got here");
        res.send(`Hello ${req.credentials.name}`);
      }
    );
    app.listen(8080);

    HTTP signature scheme

    Look "HTTP signature scheme" to sign a HTTP request.

    License

    The MIT License (MIT)

    Copyright (c) 2021 Michael Piper mailto:hello@zeroant.co

    Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

    The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

    Install

    npm i api-signature

    DownloadsWeekly Downloads

    59

    Version

    0.2.11

    License

    MIT

    Unpacked Size

    45.7 kB

    Total Files

    21

    Last publish

    Collaborators

    • michael-piper