Comments (2)
Hey @oneEyedSunday!
Could you share an example of a POST request body that fails? The roundtrip.js example in the Express middleware repo makes a request with a JSON body that parses and validates.
Thanks!
from simple-hmac-auth.
Hello @jessety the roundtrip example worked.
Here's a breakdown of my problem, before I mention how I eventually solved it.
The middleware needs to compare the req.rawBody
prop,
internally it tries to parse this in parallel, via
// Populate the rawBody attribute by reading the input stream
// Because this function calls next() immediately and not on 'end', it can consume the data stream in parallel with the body parsers we're going to add below
// Of course, this also means that if it wasn't followed by middleware that waits until request emits 'end' to call next() that the rawBody would never be populated by the time the authentication middleware gets the request
// We counter that by including yet another piece of middleware after the body-parsers that resolves immediately if it finds a parsed body, or sets an observer for the request 'end'
// Whew.
middleware.push((request, response, next) => {
const chunks = [];
request.on('data', chunk => chunks.push(chunk));
request.on('end', () => request.rawBody = Buffer.concat(chunks).toString());
next();
});
but this doesn't work properly especially in my case where I have body parser.json much earlier in the pipeline on my api
route namespace. I've experienced a similar issue before when integrating with Stripe webhooks as stripe expects us to verify the webhook request contents.
the key is to let the JSON middleware populate the req.rawBody like so thanks to flavio copes
json({ limit: '', verify: (req, res, buf) => {
req.rawBody = buf;
} })
This way, the hmac auth middleware reliably has access to req.rawBody
I think having a prior middleware chain do it is perhaps more reliable, and perhaps should be documented, as a lot of people may have this use case. Its very likely, a lot of the middleware configuration with regards to parsing will be done much earlier in the middleware chain before the hmac auth middleware is called.
For the sake of people coming to see this in the future, one could conditionally do the req.rawBody population like so
app.use('/api', json({ strict: false, limit: '1mb', verify: function populateRawBody(req, res, buffer) {
// Only do this if we need req.rawBody downstream
if (aCondition) req.rawBody = buffer;
} }));
from simple-hmac-auth.
Related Issues (5)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from simple-hmac-auth.