Buffer.from() with crypto.timingSafeEqual()?"/>
How to use Buffer.from() with crypto.timingSafeEqual()?
出于某种原因我得到
TypeError [ERR_INVALID_ARG_TYPE]: The first argument must be of type string or an instance of Buffer, ArrayBuffer, or Array or an Array-like Object. Received undefined
从两个论点到
crypto.timingSafeEqual(a, b)
.
我也试过了
const a = Buffer.from(signature, 'utf8').toString('base64');
const b = Buffer.from(expectedSignature, 'utf8').toString('base64');
我得到了同样的错误。
问题
谁能弄清楚为什么参数不是缓冲区?
const express = require("express");
const bodyParser = require("body-parser");
const crypto = require('crypto');
const secret = "x";
const app = express();
const PORT = 8080;
app.use(bodyParser.json());
function isSigOk(request, secret) {
// calculate the signature
const expectedSignature = "sha256=" +
crypto.createHmac("sha256", secret)
.update(JSON.stringify(request.body))
.digest("hex");
// compare the signature against the one in the request
const signature = request.headers["X-Hub-Signature-256"];
const a = Buffer.from(signature);
const b = Buffer.from(expectedSignature);
return crypto.timingSafeEqual(a, b);
};
app.post("/", (req, res) => {
if (isSigOk(req, secret)) {
// Do stuff here
} else {
console.log('Error: Signatures does not match. Return res.status(401)');
};
res.status(200).end();
});
// Start express on the defined port
app.listen(PORT, () => console.log(`Github wekhook listening on port ${PORT}`));
回答如下:
我看到两个问题:
第一个也是主要的是
假设will是isSigOk
标题的值:"X-Hub-Signature-256"
const signature = request.headers["X-Hub-Signature-256"]; const a = Buffer.from(signature);
如果
是Buffer.from
,那么signature
调用将抛出您引用的错误,因为标题不存在。在这种情况下,您可能想返回undefined
(并且可能通过稍微重新排序来跳过计算预期签名的开销),请参阅false
评论和相关行:***
function isSigOk(request, secret) { // *** get the signature on this message, if any const signature = request.headers["X-Hub-Signature-256"]; if (!signature) { // *** none return false; } // calculate the signature const expectedSignature = "sha256=" + crypto.createHmac("sha256", secret) .update(JSON.stringify(request.body)) .digest("hex"); // compare the signature against the one in the request const a = Buffer.from(signature); const b = Buffer.from(expectedSignature); return crypto.timingSafeEqual(a, b); };
资本问题。根据Node.js 文档(Express 的
对象继承自Node.js 的Request
),IncomingMessage
的名称是小写的。所以headers
应该是request.headers["X-Hub-Signature-256"]
。 (在评论中你说你得到了一个值,但是评论使用了全部小写,而代码使用了混合大小写。)所以:request.headers["x-hub-signature-256"]
function isSigOk(request, secret) { // *** get the signature on this message, if any const signature = request.headers["x-hub-signature-256"]; // *** Lowercase if (!signature) { // *** none return false; } // calculate the signature const expectedSignature = "sha256=" + crypto.createHmac("sha256", secret) .update(JSON.stringify(request.body)) .digest("hex"); // compare the signature against the one in the request const a = Buffer.from(signature); const b = Buffer.from(expectedSignature); return a.length === b.length && crypto.timingSafeEqual(a, b); };
注意其中的
部分。如果缓冲区长度不同,a.length === b.length &&
将抛出错误,但我们希望在这种情况下返回 false。timingSafeEqual
更多推荐
How to use Buffer.from() with crypto.timingSafeEqual()?
发布评论