implement v1 signature verification

2021-11-24 16:41:13 -05:00 · 2021-11-24 16:41:13 -05:00 · 236b5e4d0a
parent 9612f24fce
commit 236b5e4d0a
1 changed files with 19 additions and 1 deletions
--- a/src/index.coffee
+++ b/src/index.coffee
@ -13,15 +13,33 @@ handleRequest = ({ request }) ->

 handlePUT = (request) ->
  url = new URL request.url
+  # Start from the highest version number
+  valid = false
  if url.searchParams.has "v2"
    valid = await verifySignatureV2 url.searchParams.get("v2"), url, request
-    return verifyFailure() unless valid
+  else if url.searchParams.has "v"
+    valid = await verifySignatureV1 url.searchParams.get("v"), url, request
+
+  unless valid
+    return verifyFailure()
+
  return new Response "Valid"

 verifyFailure = ->
  return new Response "Invalid signature",
    status: 403

+verifySignatureV1 = (sig, url, request) ->
+  content_length = request.headers.get "Content-Length"
+  if not content_length?
+    return false
+
+  sign_str = url.pathname[1..] + " " + content_length
+  local_sig = await crypto.HMAC_SHA256 crypto.utf8Bytes(config.xmpp_secret), sign_str
+  local_sig = crypto.hex local_sig
+
+  return local_sig is sig
+
 verifySignatureV2 = (sig, url, request) ->
  content_length = request.headers.get "Content-Length"
  content_type = request.headers.get "Content-Type"