1 | var API = require('./api')
|
2 |
|
3 | var crypto = require('crypto')
|
4 |
|
5 |
|
6 | var getSignedCookieRaw = function(req, cookieName) {
|
7 | var signedCookieRaw = null
|
8 |
|
9 | var rawCookies = req.headers.cookie
|
10 | if (rawCookies) {
|
11 |
|
12 | var split1 = rawCookies.split(';')
|
13 |
|
14 | for (var i=0; i<split1.length; i++) {
|
15 |
|
16 | if (split1[i].indexOf(cookieName) > -1) {
|
17 |
|
18 | var split2 = split1[i].split('=')
|
19 |
|
20 | signedCookieRaw = split2[1]
|
21 | }
|
22 | }
|
23 | }
|
24 |
|
25 | return signedCookieRaw
|
26 | }
|
27 |
|
28 | var extractFaasCookieObj = function(faas_cookie_signed) {
|
29 | var method_name = "faas.io: extractFaasCookieObj";
|
30 |
|
31 | if (faas_cookie_signed) {
|
32 |
|
33 |
|
34 | try
|
35 | {
|
36 | faas_cookie_signed = decodeURIComponent(faas_cookie_signed);
|
37 | }
|
38 | catch (err) {
|
39 |
|
40 | return null;
|
41 | }
|
42 |
|
43 |
|
44 | if (faas_cookie_signed) {
|
45 |
|
46 |
|
47 |
|
48 | var split1 = (faas_cookie_signed.split('s:'))[1];
|
49 |
|
50 |
|
51 | var faas_cookie_object_str = (split1.split('}.'))[0] + "}";
|
52 |
|
53 |
|
54 | return JSON.parse(faas_cookie_object_str);
|
55 | } else {
|
56 | return null;
|
57 | }
|
58 | } else {
|
59 | return null;
|
60 | }
|
61 | }
|
62 |
|
63 | var _cookieSharedSecretCache = {}
|
64 |
|
65 | var getCookieSharedSecret = function(api_key){
|
66 | return _cookieSharedSecretCache[api_key];
|
67 | }
|
68 |
|
69 | var setCookieSharedSecret = function(api_key, cookieSharedSecret){
|
70 | _cookieSharedSecretCache[api_key] = cookieSharedSecret;
|
71 | console.log('_cookieSharedSecretCache: ', _cookieSharedSecretCache);
|
72 | }
|
73 |
|
74 | var getCookieSharedSecretFromServer = function(requestedApiKey, cb) {
|
75 | var urlOpts = {
|
76 | pathname: '/bouncer/getCookieSharedSecret'
|
77 | , query: { 'requestedApiKey': requestedApiKey }
|
78 | }
|
79 | API.api({ url: urlOpts }, function(err, data){
|
80 | cb(err, data && data.cookie_shared_secret)
|
81 | })
|
82 | }
|
83 |
|
84 | exports.validateFaasSecurity = function(req, cb_err_obj){
|
85 |
|
86 |
|
87 |
|
88 | var cookieRaw = getSignedCookieRaw(req, 'faas_cookie')
|
89 | var cookieObj = extractFaasCookieObj(cookieRaw)
|
90 |
|
91 | if (!cookieRaw || !cookieObj) { cb_err_obj('No cookie'); return }
|
92 |
|
93 | var cookieObjStr = JSON.stringify(cookieObj)
|
94 | var connectSignedCookie = req.signedCookies['faas_cookie']
|
95 |
|
96 | if (cookieObjStr === connectSignedCookie) {
|
97 |
|
98 | cb_err_obj(null, cookieObj)
|
99 | }
|
100 | else {
|
101 | if (cookieObj && cookieObj.api_key) {
|
102 | if (getCookieSharedSecret(cookieObj.api_key)) {
|
103 |
|
104 | validateFaasCookieLocal(cookieObj.api_key, cookieRaw, cb_err_obj)
|
105 | } else {
|
106 |
|
107 | getCookieSharedSecretFromServer(cookieObj.api_key, function(err, cookieSharedSecret){
|
108 | if (err) {
|
109 | cb_err_obj(err)
|
110 | }
|
111 | else {
|
112 |
|
113 | setCookieSharedSecret(cookieObj.api_key, cookieSharedSecret);
|
114 |
|
115 | validateFaasCookieLocal(cookieObj.api_key, cookieRaw, cb_err_obj);
|
116 | }
|
117 | })
|
118 | }
|
119 | } else {
|
120 | cb_err_obj('no cookie')
|
121 | }
|
122 | }
|
123 | }
|
124 |
|
125 |
|
126 |
|
127 |
|
128 |
|
129 |
|
130 |
|
131 | var getSignedCookie = function(api_key, val) {
|
132 | faasSignedCookie = 's:' + sign(val, getCookieSharedSecret(api_key))
|
133 | return faasSignedCookie
|
134 | }
|
135 |
|
136 |
|
137 | var sign = function(val, secret){
|
138 | if ('string' != typeof val) throw new TypeError('cookie required');
|
139 | if ('string' != typeof secret) throw new TypeError('secret required');
|
140 | return val + '.' + crypto
|
141 | .createHmac('sha256', secret)
|
142 | .update(val)
|
143 | .digest('base64')
|
144 | .replace(/\=+$/, '');
|
145 | };
|
146 |
|
147 |
|
148 | var validateFaasCookieLocal = function(api_key, signedCookie, cb_err_obj){
|
149 |
|
150 |
|
151 | var cookieObj = extractFaasCookieObj(signedCookie)
|
152 | var cookieObjStr = JSON.stringify(cookieObj)
|
153 | var signedCookieDecoded = decodeURIComponent(signedCookie)
|
154 |
|
155 |
|
156 | var signTest = getSignedCookie(api_key, cookieObjStr)
|
157 |
|
158 |
|
159 | if (signedCookieDecoded === signTest) {
|
160 | cb_err_obj(null, cookieObj)
|
161 | }
|
162 | else {
|
163 | cb_err_obj('invalid signature')
|
164 | }
|
165 | }
|
166 |
|
167 |
|
168 |
|