I am trying to validate HMAC-SHA256 signature against Node.js server with a simple Python client which validates against Python server. For some reason, I am unable to properly validate it in Node.
##
# client.py
##
import json
import time
from urllib import error
from urllib import request
import hmac
from hashlib import sha256
USER = 'testuser'
KEY = 'xxwMXEqOGiY2TssVZ9hvOB4x6EVW3RW75hjAKEai4UBlxG0ts8Js8dsWOzDvAVq4'
if __name__ == '__main__':
now = int(time.time())
payload = {'firstname': 'john', 'lastname': 'doe'}
payload_json = json.dumps(payload)
payload_bytes = bytes(payload_json, 'utf-8')
sig = hmac.new(bytes(KEY, 'utf-8'), b'', sha256)
sig.update(bytes(str(now), 'utf-8'))
sig.update(payload_bytes)
signature = sig.hexdigest()
headers = {
'Authorization': '{}:{}'.format(USER, signature),
'timestamp': str(now),
'Content-Type': 'application/json',
}
req = request.Request('http://localhost:8080/', payload_bytes, headers, method='POST')
try:
with request.urlopen(req) as response:
response_code, response_reason, r = response.code, response.reason, response.read()
except error.HTTPError as e:
response_code, response_reason, r = e.code, e.reason, e
print('RESPONSE: {} {}\n{}'.format(response_code, response_reason, r))
In Python, I validate the request (successfully) like this:
##
# snippet from server.py
##
user = {'user': 'testuser', 'secret_key': 'xx...'} # usually queries the database
if user:
check_sig = hmac.new(bytes(user['secret_key'], 'utf8'), b'', sha256)
check_sig.update(bytes(headers['TIMESTAMP'], 'utf-8')) # timestamp sent in request header
check_sig.update(data) # data is binary json-formatted string
check_signature = check_sig.hexdigest()
if hmac.compare_digest(check_signature, hmac_hash): # hmac_hash is user's signature from request
time_diff = int(time.time()) - int(headers['TIMESTAMP'])
if 0 <= time_diff <= 30:
print('kewl!')
return True
In Node, I tried to use node-restify and have a simple code like this:
/*
* server.js
*/
var restify = require('restify');
var crypto = require('crypto');
var bufferEq = require('buffer-equal-constant-time');
var _ = require('lodash');
var nconf = require('nconf').file({file: 'config.json'});
var server = restify.createServer();
server.use(restify.acceptParser(server.acceptable));
// server.use(require(path.join(__dirname, 'auth'))());
server.use(restify.dateParser());
server.use(restify.queryParser());
server.use(restify.jsonp());
server.use(restify.gzipResponse());
server.use(restify.bodyParser());
// server.use(restify.requestExpiry());
server.use(restify.throttle({
burst: 100,
rate: 50,
ip: true,
overrides: {
'192.168.1.1': {
rate: 0, // unlimited
burst: 0
}
}
}));
server.use(restify.conditionalRequest());
server.use(function authenticate(req, res, next) {
console.log('checking auth...');
var user = req.headers.authorization.split(':')[0];
var key = req.headers.authorization.split(':')[1];
console.log(key);
var credentials = nconf.get('Security:Users');
var dbUser = _.filter(credentials, {user: user}).pop();
var checkSignature = crypto.createHmac('sha256', dbUser.key)
.update(req.headers.timestamp, 'utf8')
.update(JSON.stringify(req.body), 'utf8')
.digest('hex');
console.log(checkSignature);
if (!bufferEq(new Buffer(checkSignature), new Buffer(key))) {
return next(new restify.UnauthorizedError('Authorization error.'));
}
return next();
});
function respond(req, res, next) {
res.send('hello!');
next();
}
server.get('/', respond);
server.post('/', respond);
server.listen(8080, function() {
console.log('%s listening at %s', server.name, server.url);
});
...but comparing signatures always fails.
Is this the correct way to create HMAC-SHA256 signature in Node? I was following crypto's documentation and it seems pretty straightforward...