fix: signature verification with GET

Plopix · Plopix · commit 68c1ffa9cb91 · 2024-03-11T17:27:36.000-07:00
diff --git a/README.md b/README.md
@@ -558,6 +558,20 @@ The guard function will trigger an exception.
 
 > We let you provide the `sha256` and `jwtVerify` methods to stay agnostic of any library.
 
+### Handling Signature with HTTP GET and Webhook
+
+When using Webhook you may select GET as a HTTP Method. Even if you don't provide any GraphQL query Crystallize is going to call your endpoint with new parameters, in this case you need to provide an extra parameter to the `guard` function.
+
+```javascript
+guard(signatureJwt, {
+    url: request.url, // full URL here, including https://  etc. request.href in some framework
+    webhookUrl: 'https://webhook.site/xxx', // the URL you have setup in the Webhook
+    method: 'GET',
+}),
+```
+
+Using that will instruct the JS API Client to extract URL Parameter and use it as a payload to verify the HMAC.
+
 ## Profiling the request
 
 There is time when you want to log and see the raw queries sent to Crystallize and also the timings.
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
     "name": "@crystallize/js-api-client",
     "license": "MIT",
-    "version": "2.0.0",
+    "version": "2.1.0",
     "author": "Crystallize <hello@crystallize.com> (https://crystallize.com)",
     "contributors": [
         "Sébastien Morel <sebastien@crystallize.com>",
diff --git a/src/core/verifySignature.ts b/src/core/verifySignature.ts
@@ -4,6 +4,7 @@ export type SimplifiedRequest = {
     url?: string;
     method?: string;
     body?: any;
+    webhookUrl?: string;
 };
 
 export type CreateSignatureVerifierParams = {
@@ -12,21 +13,53 @@ export type CreateSignatureVerifierParams = {
     secret: string;
 };
 
+const newQueryParams = (webhookUrl: string, receivedUrl: string): Record<string, string> => {
+    const parseQueryString = (url: string): Record<string, string> => {
+        const urlParams = new URL(url).searchParams;
+        let params: Record<string, string> = {};
+        for (const [key, value] of urlParams.entries()) {
+            params[key] = value;
+        }
+        return params;
+    };
+    const webhookOriginalParams = parseQueryString(webhookUrl);
+    const receivedParams = parseQueryString(receivedUrl);
+    const result: Record<string, string> = {};
+    for (const [key, value] of Object.entries(receivedParams)) {
+        if (!webhookOriginalParams.hasOwnProperty(key)) {
+            result[key] = value;
+        }
+    }
+
+    return result;
+};
+
 export const createSignatureVerifier = ({ sha256, jwtVerify, secret }: CreateSignatureVerifierParams) => {
     return (signature: string, request: SimplifiedRequest): any => {
         try {
             const payload = jwtVerify(signature, secret);
-            const isValid =
-                payload.hmac ===
-                sha256(
-                    JSON.stringify({
-                        url: request.url,
-                        method: request.method,
-                        body: JSON.parse(request.body),
-                    }),
-                );
-            if (!isValid) {
-                throw new Error('Invalid signature. HMAC does not match');
+            const isValid = (challenge: any) => payload.hmac === sha256(JSON.stringify(challenge));
+            const challenge = {
+                url: request.url,
+                method: request.method,
+                body: request.body ? JSON.parse(request.body) : null,
+            };
+            if (!isValid(challenge)) {
+                // we are going to do another check here for the webhook payload situation
+                if (request.url && request.webhookUrl && request.method && request.method.toLowerCase() === 'get') {
+                    const body = newQueryParams(request.webhookUrl, request.url);
+                    if (Object.keys(body).length > 1) {
+                        const newChallenge = {
+                            url: request.webhookUrl,
+                            method: request.method,
+                            body,
+                        };
+                        if (isValid(newChallenge)) {
+                            return payload;
+                        }
+                    }
+                }
+                throw new Error('Invalid signature. HMAC does not match.');
             }
             return payload;
         } catch (exception: any) {
diff --git a/tests/signature.test.js b/tests/signature.test.js
@@ -1,20 +1,57 @@
 const { createSignatureVerifier } = require('../dist/index.js');
 var crypto = require('crypto');
 
-test('Test Signature HMAC', () => {
-    const guard = createSignatureVerifier({
-        secret: 'xXx',
-        sha256: (data) => crypto.createHash('sha256').update(data).digest('hex'),
-        jwtVerify: (token, secret) => ({
-            hmac: '1101b34dac8c55e5590a37271f1c41c3d745463854613494a1624a15be24f1f8',
-        }),
+describe('Test Signature HMAC', () => {
+    test('Test With a Body', () => {
+        const guard = createSignatureVerifier({
+            secret: 'xXx',
+            sha256: (data) => crypto.createHash('sha256').update(data).digest('hex'),
+            jwtVerify: (token, secret) => ({
+                hmac: '1101b34dac8c55e5590a37271f1c41c3d745463854613494a1624a15be24f1f8',
+            }),
+        });
+
+        expect(
+            guard('xXx.xXx.xXx', {
+                url: 'https://a17e-2601-645-4500-330-b07d-351d-ece7-41c1.ngrok.io/test/signature',
+                method: 'POST',
+                body: '{"item":{"get":{"id":"63f2d3b2a94533f79fc6397b","createdAt":"2023-02-20T01:58:10.000Z","updatedAt":"2023-02-23T07:58:34.685Z","name":"test"}}}',
+            }),
+        );
     });
 
-    expect(
-        guard('xXx.xXx.xXx', {
-            url: 'https://a17e-2601-645-4500-330-b07d-351d-ece7-41c1.ngrok.io/test/signature',
-            method: 'POST',
-            body: '{"item":{"get":{"id":"63f2d3b2a94533f79fc6397b","createdAt":"2023-02-20T01:58:10.000Z","updatedAt":"2023-02-23T07:58:34.685Z","name":"test"}}}',
-        }),
-    );
+    test('Test Without a Body App', () => {
+        const guard = createSignatureVerifier({
+            secret: 'xXx',
+            sha256: (data) => crypto.createHash('sha256').update(data).digest('hex'),
+            jwtVerify: (token, secret) => ({
+                hmac: '157bee342a4856e14e964356fef54fd84b3a3508c1071ed674172d3f9b68892f',
+            }),
+        });
+
+        expect(
+            guard('xXx.xXx.xXx', {
+                url: 'https://helloworld.crystallize.app.local',
+                method: 'GET',
+                body: null,
+            }),
+        );
+    });
+
+    test('Test Without a Body Webhook', () => {
+        const guard = createSignatureVerifier({
+            secret: 'xXx',
+            sha256: (data) => crypto.createHash('sha256').update(data).digest('hex'),
+            jwtVerify: (token, secret) => ({
+                hmac: '61ce7a2e5072900a13369ac7f69b9e056e91c38c42f1bfe94389c80411d94b78',
+            }),
+        });
+        expect(
+            guard('xXx.xXx.xXx', {
+                url: 'https://webhook.site/b56870a7-9600-41a6-86a0-98be0c7532fd?id=65d8fc4ce2ba75beec481ec1&userId=61f9933ec63b0a44d5004c2d&tenantId=61f9937c3b63c8386ea9e153&type=document&language=en',
+                webhookUrl: 'https://webhook.site/b56870a7-9600-41a6-86a0-98be0c7532fd',
+                method: 'GET',
+            }),
+        );
+    });
 });

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@crystallize/js-api-client",`
`3`	`3`	`"license": "MIT",`
`4`		`- "version": "2.0.0",`
	`4`	`+ "version": "2.1.0",`
`5`	`5`	`"author": "Crystallize <[email protected]> (https://crystallize.com)",`
`6`	`6`	`"contributors": [`
`7`	`7`	`"Sébastien Morel <[email protected]>",`