-
-
Save ilovelili/76905cf6d6fc9a79fe8d5a950d7f4f1b to your computer and use it in GitHub Desktop.
HMAC-SHA256 example for verifying both the data integrity and the authentication of a request in Node.js and web browsers.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html lang="en"> | |
| <head> | |
| <meta charset="UTF-8"> | |
| <title>HMAC-SHA256 Example</title> | |
| </head> | |
| <body> | |
| <script src="http://crypto.stanford.edu/sjcl/sjcl.js"></script> | |
| <script> | |
| var sharedSecret, query, signature, hmac, xhr; | |
| // No longer secret shared secret ;-) | |
| sharedSecret = "super-secret"; | |
| query = "key=value"; | |
| hmac = new sjcl.misc.hmac(sjcl.codec.utf8String.toBits(sharedSecret), sjcl.hash.sha256); | |
| signature = sjcl.codec.hex.fromBits(hmac.encrypt(query)); | |
| xhr = new XMLHttpRequest(); | |
| xhr.open("GET", "http://localhost:1337/?" + query); | |
| xhr.setRequestHeader("X-Signature", signature); | |
| xhr.onload = function () { | |
| console.log(xhr.status, xhr.responseText); | |
| } | |
| xhr.send(null); | |
| </script> | |
| </body> | |
| </html> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var http, crypto, sharedSecret, query, signature; | |
| http = require("http"); | |
| crypto = require("crypto"); | |
| sharedSecret = "super-secret"; | |
| query = "key=value"; | |
| signature = crypto.createHmac("sha256", sharedSecret).update(query).digest("hex"); | |
| http.get({ | |
| port: 1337, | |
| path: "/?" + query, | |
| headers: { | |
| "X-Signature": signature | |
| } | |
| }, function (res) { | |
| console.log(res.statusCode); | |
| }); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var http, url, crypto, sharedSecret; | |
| http = require("http"); | |
| url = require("url"); | |
| crypto = require("crypto"); | |
| sharedSecret = "super-secret"; | |
| http.createServer(function (req, res) { | |
| var retrievedSignature, parsedUrl, computedSignature; | |
| // Deal with CORS. | |
| res.setHeader("Access-Control-Allow-Origin", "*"); | |
| if (req.method === "OPTIONS") { | |
| res.setHeader("Access-Control-Allow-Headers", "X-Signature"); | |
| res.writeHead(204); | |
| res.end(); | |
| } else { | |
| // Get signature. | |
| retrievedSignature = req.headers["x-signature"]; | |
| // Recalculate signature. | |
| parsedUrl = url.parse(req.url); | |
| computedSignature = crypto.createHmac("sha256", sharedSecret).update(parsedUrl.query).digest("hex"); | |
| // Compare signatures. | |
| if (computedSignature === retrievedSignature) { | |
| res.writeHead(200, { | |
| "Content-Type": "text/plain" | |
| }); | |
| res.end("Hello World\n"); | |
| } else { | |
| res.writeHead(403, { | |
| "Content-Type": "text/plain" | |
| }); | |
| res.end("Get Out\n"); | |
| } | |
| } | |
| }).listen(1337); | |
| console.log("Server running on port 1337"); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment