我正在使用Starling Bank的Web钩子来调用我的API。 他们陈述如下:
签名放置在请求的标头中,使用 X-Hook-Signature,由SHA-512的Base-64编码组成 机密 + JSON 有效负载的摘要。
我最终得到的代码如下。尝试了不同的方法后,我似乎无法获得与标题中相同的 SHA-64 的 Base-512。我是否正确理解/使用加密和 bodyParser 库?
// middleware.js
const functions = require('firebase-functions');
import * as crypto from 'crypto';
export const auth = (req, res, next) => {
let hash = crypto.createHash('sha512');
hash.update(config.starling.key + req.rawBody));
req.hasha = hash.digest('base64');
// req.hasha is different from req.header('X-Hook-Signature')
next();
}
我的应用具有以下代码
import * as functions from 'firebase-functions';
import * as express from 'express';
import * as cors from 'cors';
import * as middleware from './middleware';
import bodyParser = require('body-parser');
const app = express();
app.use(cors({ origin: true }));
app.use(bodyParser.json());
app.use(middleware.auth);
// Endpoints removed for brevity
export const hooks = functions.https.onRequest(app);
问题是 express 和 bodyParser 弄乱了 rawBody。
这应该有效:
const express = require("express");
const crypto = require('crypto');
const app = express();
const bodyParser = require('body-parser');
app.use(bodyParser.json({
verify: (req, res, buf) => {
req.rawBody = buf
}
}));
app.post('/starling',async (request,response)=>{
const secret = 'abcd-efgh-12f3-asd34-casd-whatever';
let hash = crypto.createHash('sha512');
hash.update(secret+request.rawBody);
const sigCheck = hash.digest('base64');
const valid = sigCheck==request.headers['x-hook-signature'];
});