LEB-4935 | Update to validate fetch request responses (#16)

Author: marc22alain

.gitignore

@@ -1,2 +1,3 @@
 .idea
-node_modules
+node_modules
+lib/es5/hmac.tests.js

demo/ajax.app.js

@@ -32,7 +32,15 @@ gulp.task('build-lib', gulp.series('clean-lib', () => {
   .pipe(gulp.dest('./lib/es5'));
 }));
 
-gulp.task('test', gulp.series('build-lib', () => {
+gulp.task('build-test', () => {
+  return gulp.src(['./qunit/hmac.tests.js'])
+  .pipe(babel({
+    presets: ["@babel/preset-env"],
+  }))
+  .pipe(gulp.dest('./lib/es5'));
+});
+
+gulp.task('test', gulp.series('build-lib', 'build-test', () => {
   return gulp.src('./qunit/hmac.html')
     .pipe(qunit());
 }));

demo/get.app.js

@@ -179,6 +179,36 @@ if (!Array.prototype.indexOf) {
 
     return -1;
   };
+} //https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/assign#Polyfill
+// Because PhantomJS does not fully support JS APIs
+
+
+if (typeof Object.assign != 'function') {
+  (function () {
+    Object.assign = function (target) {
+      'use strict';
+
+      if (target === undefined || target === null) {
+        throw new TypeError('Cannot convert undefined or null to object');
+      }
+
+      var output = Object(target);
+
+      for (var index = 1; index < arguments.length; index++) {
+        var source = arguments[index];
+
+        if (source !== undefined && source !== null) {
+          for (var nextKey in source) {
+            if (source.hasOwnProperty(nextKey)) {
+              output[nextKey] = source[nextKey];
+            }
+          }
+        }
+      }
+
+      return output;
+    };
+  })();
 }
 /**
  * AcquiaHttpHmac - Let's you sign a XMLHttpRequest or promised-based request object (e.g. jqXHR) by Acquia's
@@ -213,6 +243,9 @@ var AcquiaHttpHmac = /*#__PURE__*/function () {
 
     _classCallCheck(this, AcquiaHttpHmac);
 
+    Object.defineProperty(this, _hasValidResponse, {
+      value: _hasValidResponse2
+    });
     Object.defineProperty(this, _generateNonce, {
       value: _generateNonce2
     });
@@ -410,6 +443,34 @@ var AcquiaHttpHmac = /*#__PURE__*/function () {
       void 0;
       return headers;
     }
+    /**
+     * Generate signed headers using provided parameters.
+     *
+     * @param {Object} signParameters
+     *   The signing parameters to be signed, which include method, path, headers, content type, body.
+     * @returns {object}
+     *   The object contains headers, nonce, and timestamp.
+     */
+
+  }, {
+    key: "getFetchHeaders",
+    value: function getFetchHeaders(signParameters) {
+      var nonce = _classPrivateFieldLooseBase(this, _generateNonce)[_generateNonce]();
+
+      var timestamp = _classPrivateFieldLooseBase(this, _generateTimestamp)[_generateTimestamp]();
+
+      var copiedParameters = Object.assign({}, signParameters);
+      Object.assign(copiedParameters, {
+        nonce: nonce,
+        timestamp: timestamp
+      });
+      var headers = this.getHeaders(copiedParameters);
+      return {
+        headers: headers,
+        nonce: nonce,
+        timestamp: timestamp
+      };
+    }
     /**
      * Sign the request using provided parameters.
      *
@@ -471,6 +532,21 @@ var AcquiaHttpHmac = /*#__PURE__*/function () {
         return request.setRequestHeader(headerName, headers[headerName]);
       });
     }
+    /**
+     * Helper method to perform the Crypto processing and comparison.
+     *
+     * @param {String} responseText
+     *   The content (as string) of the server's response.
+     * @param {String} sha256Header
+     *   The `X-Server-Authorization-HMAC-SHA256` header from the server's response.
+     * @param {String} nonce
+     *   The nonce used to sign the sent request.
+     * @param {String} timestamp
+     *   The nonce used to sign the sent request.
+     * @returns {boolean}
+     *   TRUE if the request is valid; FALSE otherwise.
+     */
+
     /**
      * Check if the request has a valid response.
      *
@@ -483,13 +559,27 @@ var AcquiaHttpHmac = /*#__PURE__*/function () {
   }, {
     key: "hasValidResponse",
     value: function hasValidResponse(request) {
-      var signature_base_string = "".concat(request.acquiaHttpHmac.nonce, "\n").concat(request.acquiaHttpHmac.timestamp, "\n").concat(request.responseText),
-          signature = CryptoJS.HmacSHA256(signature_base_string, this.config.parsed_secret_key).toString(CryptoJS.enc.Base64),
-          server_signature = request.getResponseHeader('X-Server-Authorization-HMAC-SHA256');
-      void 0;
-      void 0;
-      void 0;
-      return signature === server_signature;
+      return _classPrivateFieldLooseBase(this, _hasValidResponse)[_hasValidResponse](request.responseText, request.getResponseHeader('X-Server-Authorization-HMAC-SHA256'), request.acquiaHttpHmac.nonce, request.acquiaHttpHmac.timestamp);
+    }
+    /**
+     * Check if the Fetch Response is valid.
+     *
+     * @param {String} responseText
+     *   The Fetch response's text.
+     * @param {Object} headers
+     *   The Fetch response's headers.
+     * @param {String} nonce
+     *   The nonce used to sign the Fetch request.
+     * @param {String} timestamp
+     *   The nonce used to sign the Fetch request.
+     * @returns {boolean}
+     *   TRUE if the request is valid; FALSE otherwise.
+     */
+
+  }, {
+    key: "hasValidFetchResponse",
+    value: function hasValidFetchResponse(responseText, headers, nonce, timestamp) {
+      return _classPrivateFieldLooseBase(this, _hasValidResponse)[_hasValidResponse](responseText, headers['X-Server-Authorization-HMAC-SHA256'], nonce, timestamp);
     }
   }], [{
     key: "isXMLHttpRequest",
@@ -560,6 +650,8 @@ var _generateTimestamp = _classPrivateFieldLooseKey("generateTimestamp");
 
 var _generateNonce = _classPrivateFieldLooseKey("generateNonce");
 
+var _hasValidResponse = _classPrivateFieldLooseKey("hasValidResponse");
+
 var _generateTimestamp2 = function _generateTimestamp2() {
   return Math.floor(Date.now() / 1000).toString();
 };
@@ -573,6 +665,15 @@ var _generateNonce2 = function _generateNonce2() {
   });
 };
 
+var _hasValidResponse2 = function _hasValidResponse2(responseText, sha256Header, nonce, timestamp) {
+  var signature_base_string = "".concat(nonce, "\n").concat(timestamp, "\n").concat(responseText);
+  var signature = CryptoJS.HmacSHA256(signature_base_string, this.config.parsed_secret_key).toString(CryptoJS.enc.Base64);
+  void 0;
+  void 0;
+  void 0;
+  return signature === sha256Header;
+};
+
 if ((typeof exports === "undefined" ? "undefined" : _typeof(exports)) === "object") {
   // CommonJS
   var CryptoJS = require('crypto-js');

demo/post.app.js

@@ -161,6 +161,36 @@ if (!Array.prototype.indexOf) {
 
     return -1;
   };
+} //https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/assign#Polyfill
+// Because PhantomJS does not fully support JS APIs
+
+
+if (typeof Object.assign != 'function') {
+  (function () {
+    Object.assign = function (target) {
+      'use strict';
+
+      if (target === undefined || target === null) {
+        throw new TypeError('Cannot convert undefined or null to object');
+      }
+
+      var output = Object(target);
+
+      for (var index = 1; index < arguments.length; index++) {
+        var source = arguments[index];
+
+        if (source !== undefined && source !== null) {
+          for (var nextKey in source) {
+            if (source.hasOwnProperty(nextKey)) {
+              output[nextKey] = source[nextKey];
+            }
+          }
+        }
+      }
+
+      return output;
+    };
+  })();
 }
 /**
  * AcquiaHttpHmac - Let's you sign a XMLHttpRequest or promised-based request object (e.g. jqXHR) by Acquia's
@@ -191,6 +221,9 @@ class AcquiaHttpHmac {
     version = '2.0',
     default_content_type = 'application/json'
   }) {
+    Object.defineProperty(this, _hasValidResponse, {
+      value: _hasValidResponse2
+    });
     Object.defineProperty(this, _generateNonce, {
       value: _generateNonce2
     });
@@ -433,6 +466,31 @@ class AcquiaHttpHmac {
     return headers;
   }
 
+  /**
+   * Generate signed headers using provided parameters.
+   *
+   * @param {Object} signParameters
+   *   The signing parameters to be signed, which include method, path, headers, content type, body.
+   * @returns {object}
+   *   The object contains headers, nonce, and timestamp.
+   */
+  getFetchHeaders(signParameters) {
+    const nonce = _classPrivateFieldLooseBase(this, _generateNonce)[_generateNonce]();
+
+    const timestamp = _classPrivateFieldLooseBase(this, _generateTimestamp)[_generateTimestamp]();
+
+    const copiedParameters = Object.assign({}, signParameters);
+    Object.assign(copiedParameters, {
+      nonce,
+      timestamp
+    });
+    const headers = this.getHeaders(copiedParameters);
+    return {
+      headers,
+      nonce,
+      timestamp
+    };
+  }
   /**
    * Sign the request using provided parameters.
    *
@@ -450,6 +508,8 @@ class AcquiaHttpHmac {
    *   Body.
    * @returns {string}
    */
+
+
   sign({
     request,
     method,
@@ -486,6 +546,22 @@ class AcquiaHttpHmac {
     request.acquiaHttpHmac.nonce = nonce;
     Object.keys(headers).forEach(headerName => request.setRequestHeader(headerName, headers[headerName]));
   }
+  /**
+   * Helper method to perform the Crypto processing and comparison.
+   *
+   * @param {String} responseText
+   *   The content (as string) of the server's response.
+   * @param {String} sha256Header
+   *   The `X-Server-Authorization-HMAC-SHA256` header from the server's response.
+   * @param {String} nonce
+   *   The nonce used to sign the sent request.
+   * @param {String} timestamp
+   *   The nonce used to sign the sent request.
+   * @returns {boolean}
+   *   TRUE if the request is valid; FALSE otherwise.
+   */
+
+
   /**
    * Check if the request has a valid response.
    *
@@ -494,16 +570,26 @@ class AcquiaHttpHmac {
    * @returns {boolean}
    *   TRUE if the request is valid; FALSE otherwise.
    */
-
-
   hasValidResponse(request) {
-    let signature_base_string = `${request.acquiaHttpHmac.nonce}\n${request.acquiaHttpHmac.timestamp}\n${request.responseText}`,
-        signature = CryptoJS.HmacSHA256(signature_base_string, this.config.parsed_secret_key).toString(CryptoJS.enc.Base64),
-        server_signature = request.getResponseHeader('X-Server-Authorization-HMAC-SHA256');
-    void 0;
-    void 0;
-    void 0;
-    return signature === server_signature;
+    return _classPrivateFieldLooseBase(this, _hasValidResponse)[_hasValidResponse](request.responseText, request.getResponseHeader('X-Server-Authorization-HMAC-SHA256'), request.acquiaHttpHmac.nonce, request.acquiaHttpHmac.timestamp);
+  }
+
+  /**
+   * Check if the Fetch Response is valid.
+   *
+   * @param {String} responseText
+   *   The Fetch response's text.
+   * @param {Object} headers
+   *   The Fetch response's headers.
+   * @param {String} nonce
+   *   The nonce used to sign the Fetch request.
+   * @param {String} timestamp
+   *   The nonce used to sign the Fetch request.
+   * @returns {boolean}
+   *   TRUE if the request is valid; FALSE otherwise.
+   */
+  hasValidFetchResponse(responseText, headers, nonce, timestamp) {
+    return _classPrivateFieldLooseBase(this, _hasValidResponse)[_hasValidResponse](responseText, headers['X-Server-Authorization-HMAC-SHA256'], nonce, timestamp);
   }
 
 }
@@ -512,6 +598,8 @@ var _generateTimestamp = _classPrivateFieldLooseKey("generateTimestamp");
 
 var _generateNonce = _classPrivateFieldLooseKey("generateNonce");
 
+var _hasValidResponse = _classPrivateFieldLooseKey("hasValidResponse");
+
 var _generateTimestamp2 = function _generateTimestamp2() {
   return Math.floor(Date.now() / 1000).toString();
 };
@@ -525,6 +613,15 @@ var _generateNonce2 = function _generateNonce2() {
   });
 };
 
+var _hasValidResponse2 = function _hasValidResponse2(responseText, sha256Header, nonce, timestamp) {
+  const signature_base_string = `${nonce}\n${timestamp}\n${responseText}`;
+  const signature = CryptoJS.HmacSHA256(signature_base_string, this.config.parsed_secret_key).toString(CryptoJS.enc.Base64);
+  void 0;
+  void 0;
+  void 0;
+  return signature === sha256Header;
+};
+
 if (typeof exports === "object") {
   // CommonJS
   var CryptoJS = require('crypto-js');