export "symmetric", "asymmetric" and "combined"

Skn0tt · Skn0tt · commit a09a15c9d525 · 2021-05-05T19:30:32.000+02:00
diff --git a/src/index.spec.ts b/src/index.spec.ts
@@ -1,21 +1,26 @@
-import { sign, verify } from './';
+import { SecureWebhooks, symmetric, asymmetric } from './';
 
-function testWithKeyPair(pub: string, priv: string, expextedResult: string) {
+function testWithKeyPair(
+  swh: SecureWebhooks,
+  pub: string,
+  priv: string,
+  expextedResult: string
+) {
   const input = 'hello world';
   const timestamp = 1600000000000;
-  const signature = sign(input, priv, timestamp);
+  const signature = swh.sign(input, priv, timestamp);
   expect(signature).toEqual(expextedResult);
 
   // transmit input + signature over the wire
 
   const receivingTimestamp = timestamp + 60 * 1000;
 
-  const isValidIfWithinTimeout = verify(input, pub, signature, {
+  const isValidIfWithinTimeout = swh.verify(input, pub, signature, {
     timestamp: receivingTimestamp,
   });
   expect(isValidIfWithinTimeout).toBe(true);
 
-  const isValidIfOverTimeout = verify(input, pub, signature, {
+  const isValidIfOverTimeout = swh.verify(input, pub, signature, {
     timestamp: receivingTimestamp,
     timeout: 0.5 * 60 * 1000,
   });
@@ -25,6 +30,7 @@ function testWithKeyPair(pub: string, priv: string, expextedResult: string) {
 test('symmetric', () => {
   const secret = 'iamverysecret';
   testWithKeyPair(
+    symmetric,
     secret,
     secret,
     `v=1600000000000,d=3bd0b48300a7a7afc491e90ecef6805cb46813ea047434eed9cccc567f7aeecb`
@@ -102,6 +108,7 @@ yS6CCva4O1bQailhOWHMCXusEMvoSMCg7Xfs8bw1zEqkEGY6yvD3yDoHAOrkfJun
 `.trim();
 
   testWithKeyPair(
+    asymmetric,
     publicKey,
     privateKey,
     `v=1600000000000,d=OwH2f2zKu8DHzCrlFKW36VzOZG6hmhtMCN5kVqX3BQTFkjPl7cri4Ar+yky0nyPNYfZG+Q1Kf3fithV8ufy+q25TZC2IXyhPpnytZTfKptlpLT3BGJ0Q1TMx1gQXrEFN2kzl1pH5ertxN1MwYuUnQCwfwigALKeaStADSZAJVVS25Tp+6DB8OrNpywjeruQZ6fUIWtWcF9q2O987zj+uUqya4GvUsa1NI9PFIXUb82e6ZXpw+0fqLNsHLYj60YqdCfeivxs3O+HGJekvqwJuj/bPCftbDBT4Cj4s5sjFYHtV3Rf2ERzu0ycIJD4BXC3oOyek1PX5lbaIRL7JwMpTWir98FjWEbSSlNbNeR/EEzVtKGwgWcEAlO33H4sBKhc1/OPKcAyMU8NFuudeUSrGSNzl9+qLIJkX+oFyct5iksZPbiyypI2NsrTZcY4W6yOpb5lq8gmNu+N2GfwkK57oL0Kj4q+zZuVrGFRQYTrgWVHbJhMhFpnIKGnFg71oIkfqxjn6dWesADVVgKyLoQ0ZE8E/2kc8Kt+pgPkun/ywMfyItOf9AyIgultGsKyQgPpS3aIioJLExuicNsci7brbXJXMo+grccV7GhgDnbGLn1uLrtE0zCh9d/Op0czWKRbLVzCPNAKIYW1+hkaTNROGs/Cu7vhOy7g766YtEX6EWpo=`
diff --git a/src/index.ts b/src/index.ts
@@ -1,105 +1,86 @@
 import { createHmac, createSign, createVerify } from 'crypto';
 
-function getHmac(secret: string) {
-  return createHmac('sha256', secret);
-}
+const FIVE_MINUTES = 5 * 60 * 1000;
 
-function isPrivateKey(secretOrPrivateKey: string): boolean {
-  return secretOrPrivateKey.includes('PRIVATE KEY');
+function makeSecureWebhooks(
+  getSigner: (secretOrPrivateKey: string) => (input: string) => string,
+  getVerifier: (
+    secretOrPublicKey: string
+  ) => (input: string, digest: string) => boolean
+) {
+  return {
+    sign(
+      input: string,
+      secretOrPrivateKey: string,
+      timestamp: number = Date.now()
+    ): string {
+      const signer = getSigner(secretOrPrivateKey);
+
+      return `v=${timestamp},d=${signer(input + timestamp)}`;
+    },
+    verify(
+      input: string,
+      secret: string,
+      signature: string,
+      opts: { timeout?: number; timestamp?: number } = {}
+    ): boolean {
+      const match = /v=(\d+),d=(.*)/.exec(signature);
+      if (!match) {
+        return false;
+      }
+
+      const poststamp = Number(match[1]);
+      const postDigest = match[2];
+
+      const timestamp = opts?.timestamp ?? Date.now();
+      const timeout = opts?.timeout ?? FIVE_MINUTES;
+
+      const difference = Math.abs(timestamp - poststamp);
+      if (difference > timeout) {
+        return false;
+      }
+
+      const verifier = getVerifier(secret);
+
+      return verifier(input + poststamp, postDigest);
+    },
+  };
 }
 
-function isPublicKey(secretOrPrivateKey: string): boolean {
-  return secretOrPrivateKey.includes('PUBLIC KEY');
-}
+export type SecureWebhooks = ReturnType<typeof makeSecureWebhooks>;
 
-function verifyWithSecret(
-  input: string,
-  digest: string,
-  secret: string
-): boolean {
-  return (
-    getHmac(secret)
+export const symmetric = makeSecureWebhooks(
+  secret => input =>
+    createHmac('sha256', secret)
+      .update(input)
+      .digest('hex'),
+  secret => (input, digest) =>
+    createHmac('sha256', secret)
       .update(input)
       .digest('hex') === digest
-  );
-}
-
-function signWithSecret(input: string, secret: string) {
-  return getHmac(secret)
-    .update(input)
-    .digest('hex');
-}
-
-function getSigner(secretOrPrivateKey: string): (input: string) => string {
-  if (isPrivateKey(secretOrPrivateKey)) {
-    return v => signWithPrivate(v, secretOrPrivateKey);
-  } else {
-    return v => signWithSecret(v, secretOrPrivateKey);
-  }
-}
-
-function signWithPrivate(input: string, priv: string): string {
-  return createSign('sha256')
-    .update(input)
-    .sign(priv, 'base64');
-}
-
-function verifyWithPublic(input: string, digest: string, pub: string): boolean {
-  return createVerify('sha256')
-    .update(input)
-    .verify(pub, digest, 'base64');
-}
-
-function getVerifier(
-  secretOrPublicKey: string
-): (input: string, digest: string) => boolean {
-  if (isPublicKey(secretOrPublicKey)) {
-    return (i, d) => verifyWithPublic(i, d, secretOrPublicKey);
-  } else {
-    return (i, d) => verifyWithSecret(i, d, secretOrPublicKey);
-  }
-}
+);
 
-export function sign(
-  input: string,
-  secretOrPrivateKey: string,
-  timestamp: number = Date.now()
-) {
-  const signer = getSigner(secretOrPrivateKey);
-
-  return `v=${timestamp},d=${signer(input + timestamp)}`;
-}
-
-const FIVE_MINUTES = 5 * 60 * 1000;
-
-export function verify(
-  input: string,
-  secretOrPublicKey: string,
-  signature: string,
-  opts: { timeout?: number; timestamp?: number } = {}
-) {
-  const useBase64 = isPublicKey(secretOrPublicKey);
-  const regex = useBase64
-    ? /v=(\d+),d=((?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)?)/
-    : /v=(\d+),d=([\da-f]+)/;
-  const match = regex.exec(signature);
-
-  if (!match) {
-    return false;
-  }
-
-  const poststamp = Number(match[1]);
-  const postDigest = match[2];
-
-  const timestamp = opts?.timestamp ?? Date.now();
-  const timeout = opts?.timeout ?? FIVE_MINUTES;
-
-  const difference = Math.abs(timestamp - poststamp);
-  if (difference > timeout) {
-    return false;
-  }
-
-  const verifier = getVerifier(secretOrPublicKey);
-
-  return verifier(input + poststamp, postDigest);
-}
+export const asymmetric = makeSecureWebhooks(
+  priv => input =>
+    createSign('sha256')
+      .update(input)
+      .sign(priv, 'base64'),
+  pub => (input, digest) =>
+    createVerify('sha256')
+      .update(input)
+      .verify(pub, digest, 'base64')
+);
+
+export const combined: SecureWebhooks = {
+  sign: (input, secretOrPrivateKey, timestamp) =>
+    secretOrPrivateKey.includes('PRIVATE KEY')
+      ? asymmetric.sign(input, secretOrPrivateKey, timestamp)
+      : symmetric.sign(input, secretOrPrivateKey, timestamp),
+  verify: (input, secretOrPublicKey, signature, opts) =>
+    secretOrPublicKey.includes('PUBLIC KEY')
+      ? asymmetric.verify(input, secretOrPublicKey, signature, opts)
+      : symmetric.verify(input, secretOrPublicKey, signature, opts),
+};
+
+export const sign = symmetric.sign;
+export const verify = symmetric.verify;
