Skip to content
This repository was archived by the owner on Apr 5, 2024. It is now read-only.

Validate bewit MAC before expiry #291

Merged
merged 1 commit into from
Jun 15, 2023
Merged

Validate bewit MAC before expiry #291

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions lib/server.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -377,7 +377,7 @@ exports.authenticateBewit = async function (req, credentialsFunc, options) {

const bewit = {
id: bewitParts[0],
exp: parseInt(bewitParts[1], 10),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved this parsing until after the mac has been validated.

exp: bewitParts[1],
mac: bewitParts[2],
ext: bewitParts[3] || ''
};
Expand All @@ -396,12 +396,6 @@ exports.authenticateBewit = async function (req, credentialsFunc, options) {
url = url + resource[2] + resource[4];
}

// Check expiration

if (bewit.exp * 1000 <= now) {
throw Object.assign(Utils.unauthorized('Access expired'), { bewit });
}

// Fetch Hawk credentials

try {
Expand Down Expand Up @@ -443,6 +437,12 @@ exports.authenticateBewit = async function (req, credentialsFunc, options) {
throw Object.assign(Utils.unauthorized('Bad mac'), result);
}

// Check expiration

if (parseInt(bewit.exp, 10) * 1000 <= now) {
throw Object.assign(Utils.unauthorized('Access expired'), { bewit });
}

// Successful authentication

return result;
Expand Down
20 changes: 19 additions & 1 deletion test/uri.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -270,14 +270,32 @@ describe('Uri', () => {

const req = {
method: 'GET',
url: '/resource/4?a=1&b=2&bewit=MTIzNDU2XDEzNTY0MTg1ODNcWk1wZlMwWU5KNHV0WHpOMmRucTRydEk3NXNXTjFjeWVITTcrL0tNZFdVQT1cc29tZS1hcHAtZGF0YQ',
url: '/resource',
host: 'example.com',
port: 8080
};
const credentials = credentialsFunc('123456');
const bewit = Hawk.uri.getBewit('https://example.com:8080/resource', { credentials, ttlSec: -10 });
req.url += '?bewit=' + bewit;

await expect(Hawk.uri.authenticate(req, credentialsFunc)).to.reject('Access expired');
});

it('validates mac before expiry', async () => {

const credentials = credentialsFunc('123456');
const exp = '1';
const expiredInvalidBewit = B64.base64urlEncode(credentials.id + '\\' + exp + '\\somemac\\');
const req = {
method: 'GET',
url: '/resource?bewit=' + expiredInvalidBewit,
host: 'example.com',
port: 8080
};

await expect(Hawk.uri.authenticate(req, credentialsFunc, {})).to.reject('Bad mac');
});

it('fails on credentials function error', async () => {

const req = {
Expand Down