Skip to content

Instantly share code, notes, and snippets.

@bluesealjs

bluesealjs/client.html

Forked from agrueneberg/client.html
Created January 25, 2020 06:50
Show Gist options
  • Save bluesealjs/b65ad286de4914e77c653eb599ef6ec9 to your computer and use it in GitHub Desktop.
Save bluesealjs/b65ad286de4914e77c653eb599ef6ec9 to your computer and use it in GitHub Desktop.
Download ZIP
HMAC-SHA256 example for verifying both the data integrity and the authentication of a request in Node.js and web browsers.
Raw
client.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>HMAC-SHA256 Example</title>
</head>
<body>
<script src="http://crypto.stanford.edu/sjcl/sjcl.js"></script>
<script>
var sharedSecret, query, signature, hmac, xhr;
// No longer secret shared secret ;-)
sharedSecret = "super-secret";
query = "key=value";
hmac = new sjcl.misc.hmac(sjcl.codec.utf8String.toBits(sharedSecret), sjcl.hash.sha256);
signature = sjcl.codec.hex.fromBits(hmac.encrypt(query));
xhr = new XMLHttpRequest();
xhr.open("GET", "http://localhost:1337/?" + query);
xhr.setRequestHeader("X-Signature", signature);
xhr.onload = function () {
console.log(xhr.status, xhr.responseText);
}
xhr.send(null);
</script>
</body>
</html>
Raw
client.js
var http, crypto, sharedSecret, query, signature;
http = require("http");
crypto = require("crypto");
sharedSecret = "super-secret";
query = "key=value";
signature = crypto.createHmac("sha256", sharedSecret).update(query).digest("hex");
http.get({
port: 1337,
path: "/?" + query,
headers: {
"X-Signature": signature
}
}, function (res) {
console.log(res.statusCode);
});
Raw
server.js
var http, url, crypto, sharedSecret;
http = require("http");
url = require("url");
crypto = require("crypto");
sharedSecret = "super-secret";
http.createServer(function (req, res) {
var retrievedSignature, parsedUrl, computedSignature;
// Deal with CORS.
res.setHeader("Access-Control-Allow-Origin", "*");
if (req.method === "OPTIONS") {
res.setHeader("Access-Control-Allow-Headers", "X-Signature");
res.writeHead(204);
res.end();
} else {
// Get signature.
retrievedSignature = req.headers["x-signature"];
// Recalculate signature.
parsedUrl = url.parse(req.url);
computedSignature = crypto.createHmac("sha256", sharedSecret).update(parsedUrl.query).digest("hex");
// Compare signatures.
if (computedSignature === retrievedSignature) {
res.writeHead(200, {
"Content-Type": "text/plain"
});
res.end("Hello World\n");
} else {
res.writeHead(403, {
"Content-Type": "text/plain"
});
res.end("Get Out\n");
}
}
}).listen(1337);
console.log("Server running on port 1337");
@bluesealjs
Copy link
Author

bluesealjs commented Jan 25, 2020
edited
Loading

credit to @vokeio (fixing the timing attack)

const computedSignatureBuffer = Buffer.from(computedSignature, 'hex');
        const retrievedSignatureBuffer = Buffer.from(retrievedSignature, 'hex');
        const valid = crypto.timingSafeEqual(computedSignatureBuffer, retrievedSignatureBuffer);

        if (valid) {
            res.writeHead(200, {
                "content-type": "text/plain"
            });
            res.end("hello world\n");
        } else {
            res.writeHead(403, {
                "content-type": "text/plain"
            });
            res.end("get out\n");
        }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment