-
-
Save joeneldeasis/5ce7c4ecdf1ae1557eda461443df74eb to your computer and use it in GitHub Desktop.
HMAC-SHA256 example for verifying both the data integrity and the authentication of a request in Node.js and web browsers.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html lang="en"> | |
| <head> | |
| <meta charset="UTF-8"> | |
| <title>HMAC-SHA256 Example</title> | |
| </head> | |
| <body> | |
| <script src="http://crypto.stanford.edu/sjcl/sjcl.js"></script> | |
| <script> | |
| var sharedSecret, query, signature, hmac, xhr; | |
| // No longer secret shared secret ;-) | |
| sharedSecret = "super-secret"; | |
| query = "key=value"; | |
| hmac = new sjcl.misc.hmac(sjcl.codec.utf8String.toBits(sharedSecret), sjcl.hash.sha256); | |
| signature = sjcl.codec.hex.fromBits(hmac.encrypt(query)); | |
| xhr = new XMLHttpRequest(); | |
| xhr.open("GET", "http://localhost:1337/?" + query); | |
| xhr.setRequestHeader("X-Signature", signature); | |
| xhr.onload = function () { | |
| console.log(xhr.status, xhr.responseText); | |
| } | |
| xhr.send(null); | |
| </script> | |
| </body> | |
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var http, crypto, sharedSecret, query, signature; | |
| http = require("http"); | |
| crypto = require("crypto"); | |
| sharedSecret = "super-secret"; | |
| query = "key=value"; | |
| signature = crypto.createHmac("sha256", sharedSecret).update(query).digest("hex"); | |
| http.get({ | |
| port: 1337, | |
| path: "/?" + query, | |
| headers: { | |
| "X-Signature": signature | |
| } | |
| }, function (res) { | |
| console.log(res.statusCode); | |
| }); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| var http, url, crypto, sharedSecret; | |
| http = require("http"); | |
| url = require("url"); | |
| crypto = require("crypto"); | |
| sharedSecret = "super-secret"; | |
| http.createServer(function (req, res) { | |
| var retrievedSignature, parsedUrl, computedSignature; | |
| // Deal with CORS. | |
| res.setHeader("Access-Control-Allow-Origin", "*"); | |
| if (req.method === "OPTIONS") { | |
| res.setHeader("Access-Control-Allow-Headers", "X-Signature"); | |
| res.writeHead(204); | |
| res.end(); | |
| } else { | |
| // Get signature. | |
| retrievedSignature = req.headers["x-signature"]; | |
| // Recalculate signature. | |
| parsedUrl = url.parse(req.url); | |
| computedSignature = crypto.createHmac("sha256", sharedSecret).update(parsedUrl.query).digest("hex"); | |
| // Compare signatures. | |
| if (computedSignature === retrievedSignature) { | |
| res.writeHead(200, { | |
| "Content-Type": "text/plain" | |
| }); | |
| res.end("Hello World\n"); | |
| } else { | |
| res.writeHead(403, { | |
| "Content-Type": "text/plain" | |
| }); | |
| res.end("Get Out\n"); | |
| } | |
| } | |
| }).listen(1337); | |
| console.log("Server running on port 1337"); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment