Question

我是Express的新手，我正在通过实施中间件来处理X-Hub-Signature，如下所述：https://pubsubhubbub.googlecode.com/git/pubsubhubbub-core-0.4.html#authednotify

在将请求传递到标准express.json()中间件以实际解码主体之前，我想添加一个处理此问题的中间件。

var sigVerifier = function(req, res, next) {

    var buf = '';
    // Need to accumulate all the bytes... <--- HOW TO DO THIS?

    // then calculate HMAC-SHA1 on the content.
    var hmac = crypto.createHmac('sha1', app.get('client_secret'));
    hmac.update(buf);
    var providedSignature = req.headers['X-Hub-Signature'];
    var calculatedSignature = 'sha1=' + hmac.digest(encoding='hex');
    if (providedSignature != calculatedSignature) {
        console.log(providedSignature);
        console.log(calculatedSignature);
        res.send("ERROR");
        return;
    }
    next();
};

app.use(sigVerifier);
app.use(express.json());

Answer 1

Express使用connect的中间件为json。您可以将选项对象传递给json正文解析器，以在继续解析之前验证内容。

function verifyHmac(req, res, buf) {
  // then calculate HMAC-SHA1 on the content.
  var hmac = crypto.createHmac('sha1', app.get('client_secret'));
  hmac.update(buf);
  var providedSignature = req.headers['X-Hub-Signature'];
  var calculatedSignature = 'sha1=' + hmac.digest(encoding='hex');
  if (providedSignature != calculatedSignature) {
    console.log(
      "Wrong signature - providedSignature: %s, calculatedSignature: %s",
      providedSignature,
      calculatedSignature);
    var error = { status: 400, body: "Wrong signature" };
    throw error;
  }
}

app.use(express.json({verify: verifyHmac}));

验证Node / Express中的pubsubhubbub内容签名

1 个答案: