1 | var API = require('./api')
|
2 |
|
3 | var crypto = require('crypto')
|
4 |
|
5 |
|
6 | var getSignedCookieRaw = function(req, cookieName) {
|
7 | var signedCookieRaw = null
|
8 |
|
9 | var rawCookies = req.headers.cookie
|
10 | if (rawCookies) {
|
11 |
|
12 | var split1 = rawCookies.split(';')
|
13 |
|
14 | for (var i=0; i<split1.length; i++) {
|
15 |
|
16 | if (split1[i].indexOf(cookieName) > -1) {
|
17 |
|
18 | var split2 = split1[i].split('=')
|
19 |
|
20 | signedCookieRaw = split2[1]
|
21 | }
|
22 | }
|
23 | }
|
24 |
|
25 | return signedCookieRaw
|
26 | }
|
27 |
|
28 | var extractFaasCookieObj = function(faas_cookie_signed) {
|
29 | var method_name = "faas.io: extractFaasCookieObj";
|
30 |
|
31 | if (faas_cookie_signed) {
|
32 |
|
33 |
|
34 | try
|
35 | {
|
36 | faas_cookie_signed = decodeURIComponent(faas_cookie_signed);
|
37 | }
|
38 | catch (err) {
|
39 |
|
40 | return null;
|
41 | }
|
42 |
|
43 |
|
44 | if (faas_cookie_signed) {
|
45 |
|
46 |
|
47 |
|
48 | var split1 = (faas_cookie_signed.split('s:'))[1];
|
49 |
|
50 |
|
51 | var faas_cookie_object_str = (split1.split('}.'))[0] + "}";
|
52 |
|
53 |
|
54 | return JSON.parse(faas_cookie_object_str);
|
55 | } else {
|
56 | return null;
|
57 | }
|
58 | } else {
|
59 | return null;
|
60 | }
|
61 | }
|
62 |
|
63 | var _cookieSharedSecret = null
|
64 |
|
65 | var getCookieSharedSecret = function(){
|
66 | return _cookieSharedSecret
|
67 | }
|
68 |
|
69 | var setCookieSharedSecret = function(cookieSharedSecret){
|
70 | _cookieSharedSecret = cookieSharedSecret
|
71 | }
|
72 |
|
73 | var getCookieSharedSecretFromServer = function(cb) {
|
74 | var urlOpts = {
|
75 | pathname: '/bouncer/getCookieSharedSecret'
|
76 | }
|
77 | API.api({ url: urlOpts }, function(err, data){
|
78 | cb(err, data && data.cookie_shared_secret)
|
79 | })
|
80 | }
|
81 |
|
82 | exports.validateFaasSecurity = function(req, cb_err_obj){
|
83 |
|
84 |
|
85 |
|
86 | var cookieRaw = getSignedCookieRaw(req, 'faas_cookie')
|
87 | var cookieObj = extractFaasCookieObj(cookieRaw)
|
88 |
|
89 | if (!cookieRaw || !cookieObj) { cb_err_obj('No cookie'); return }
|
90 |
|
91 | var cookieObjStr = JSON.stringify(cookieObj)
|
92 | var connectSignedCookie = req.signedCookies['faas_cookie']
|
93 |
|
94 | if (cookieObjStr === connectSignedCookie) {
|
95 |
|
96 | cb_err_obj(null, cookieObj)
|
97 | }
|
98 | else if (getCookieSharedSecret()) {
|
99 |
|
100 | validateFaasCookieLocal(cookieRaw, cb_err_obj)
|
101 | }
|
102 | else {
|
103 |
|
104 | getCookieSharedSecretFromServer(function(err, cookieSharedSecret){
|
105 | if (err) {
|
106 | cb_err_obj(err)
|
107 | }
|
108 | else {
|
109 |
|
110 | setCookieSharedSecret(cookieSharedSecret)
|
111 |
|
112 | validateFaasCookieLocal(cookieRaw, cb_err_obj)
|
113 | }
|
114 | })
|
115 | }
|
116 | }
|
117 |
|
118 |
|
119 |
|
120 |
|
121 |
|
122 |
|
123 |
|
124 | var getSignedCookie = function(val) {
|
125 | faasSignedCookie = 's:' + sign(val, getCookieSharedSecret())
|
126 | return faasSignedCookie
|
127 | }
|
128 |
|
129 |
|
130 | var sign = function(val, secret){
|
131 | if ('string' != typeof val) throw new TypeError('cookie required');
|
132 | if ('string' != typeof secret) throw new TypeError('secret required');
|
133 | return val + '.' + crypto
|
134 | .createHmac('sha256', secret)
|
135 | .update(val)
|
136 | .digest('base64')
|
137 | .replace(/\=+$/, '');
|
138 | };
|
139 |
|
140 |
|
141 | var validateFaasCookieLocal = function(signedCookie, cb_err_obj){
|
142 |
|
143 |
|
144 | var cookieObj = extractFaasCookieObj(signedCookie)
|
145 | var cookieObjStr = JSON.stringify(cookieObj)
|
146 | var signedCookieDecoded = decodeURIComponent(signedCookie)
|
147 |
|
148 |
|
149 | var signTest = getSignedCookie(cookieObjStr)
|
150 |
|
151 |
|
152 | if (signedCookieDecoded === signTest) {
|
153 | cb_err_obj(null, cookieObj)
|
154 | }
|
155 | else {
|
156 | cb_err_obj('invalid signature')
|
157 | }
|
158 | }
|
159 |
|
160 |
|
161 |
|