diff options
Diffstat (limited to 'deps/npm/node_modules/hawk/lib/server.js')
-rwxr-xr-x | deps/npm/node_modules/hawk/lib/server.js | 116 |
1 files changed, 57 insertions, 59 deletions
diff --git a/deps/npm/node_modules/hawk/lib/server.js b/deps/npm/node_modules/hawk/lib/server.js index c5b02ae0c5..2f76372355 100755 --- a/deps/npm/node_modules/hawk/lib/server.js +++ b/deps/npm/node_modules/hawk/lib/server.js @@ -1,17 +1,15 @@ -'use strict'; - // Load modules -const Boom = require('boom'); -const Hoek = require('hoek'); -const Cryptiles = require('cryptiles'); -const Crypto = require('./crypto'); -const Utils = require('./utils'); +var Boom = require('boom'); +var Hoek = require('hoek'); +var Cryptiles = require('cryptiles'); +var Crypto = require('./crypto'); +var Utils = require('./utils'); // Declare internals -const internals = {}; +var internals = {}; // Hawk authentication @@ -19,7 +17,7 @@ const internals = {}; /* req: node's HTTP request object or an object as follows: - const request = { + var request = { method: 'GET', url: '/resource/4?a=1&b=2', host: 'example.com', @@ -32,7 +30,7 @@ const internals = {}; needed by the application. This function is the equivalent of verifying the username and password in Basic authentication. - const credentialsFunc = function (id, callback) { + var credentialsFunc = function (id, callback) { // Lookup credentials in database db.lookup(id, function (err, item) { @@ -41,7 +39,7 @@ const internals = {}; return callback(err); } - const credentials = { + var credentials = { // Required key: item.key, algorithm: item.algorithm, @@ -95,25 +93,25 @@ exports.authenticate = function (req, credentialsFunc, options, callback) { // Application time - const now = Utils.now(options.localtimeOffsetMsec); // Measure now before any other processing + var now = Utils.now(options.localtimeOffsetMsec); // Measure now before any other processing // Convert node Http request object to a request configuration object - const request = Utils.parseRequest(req, options); + var request = Utils.parseRequest(req, options); if (request instanceof Error) { return callback(Boom.badRequest(request.message)); } // Parse HTTP Authorization header - const attributes = Utils.parseAuthorizationHeader(request.authorization); + var attributes = Utils.parseAuthorizationHeader(request.authorization); if (attributes instanceof Error) { return callback(attributes); } // Construct artifacts container - const artifacts = { + var artifacts = { method: request.method, host: request.host, port: request.port, @@ -140,14 +138,14 @@ exports.authenticate = function (req, credentialsFunc, options, callback) { // Fetch Hawk credentials - credentialsFunc(attributes.id, (err, credentials) => { + credentialsFunc(attributes.id, function (err, credentials) { if (err) { return callback(err, credentials || null, artifacts); } if (!credentials) { - return callback(Utils.unauthorized('Unknown credentials'), null, artifacts); + return callback(Boom.unauthorized('Unknown credentials', 'Hawk'), null, artifacts); } if (!credentials.key || @@ -162,9 +160,9 @@ exports.authenticate = function (req, credentialsFunc, options, callback) { // Calculate MAC - const mac = Crypto.calculateMac('header', credentials, artifacts); + var mac = Crypto.calculateMac('header', credentials, artifacts); if (!Cryptiles.fixedTimeComparison(mac, attributes.mac)) { - return callback(Utils.unauthorized('Bad mac'), credentials, artifacts); + return callback(Boom.unauthorized('Bad mac', 'Hawk'), credentials, artifacts); } // Check payload hash @@ -173,28 +171,28 @@ exports.authenticate = function (req, credentialsFunc, options, callback) { options.payload === '') { if (!attributes.hash) { - return callback(Utils.unauthorized('Missing required payload hash'), credentials, artifacts); + return callback(Boom.unauthorized('Missing required payload hash', 'Hawk'), credentials, artifacts); } - const hash = Crypto.calculatePayloadHash(options.payload, credentials.algorithm, request.contentType); + var hash = Crypto.calculatePayloadHash(options.payload, credentials.algorithm, request.contentType); if (!Cryptiles.fixedTimeComparison(hash, attributes.hash)) { - return callback(Utils.unauthorized('Bad payload hash'), credentials, artifacts); + return callback(Boom.unauthorized('Bad payload hash', 'Hawk'), credentials, artifacts); } } // Check nonce - options.nonceFunc(credentials.key, attributes.nonce, attributes.ts, (err) => { + options.nonceFunc(credentials.key, attributes.nonce, attributes.ts, function (err) { if (err) { - return callback(Utils.unauthorized('Invalid nonce'), credentials, artifacts); + return callback(Boom.unauthorized('Invalid nonce', 'Hawk'), credentials, artifacts); } // Check timestamp staleness if (Math.abs((attributes.ts * 1000) - now) > (options.timestampSkewSec * 1000)) { - const tsm = Crypto.timestampMessage(credentials, options.localtimeOffsetMsec); - return callback(Utils.unauthorized('Stale timestamp', tsm), credentials, artifacts); + var tsm = Crypto.timestampMessage(credentials, options.localtimeOffsetMsec); + return callback(Boom.unauthorized('Stale timestamp', 'Hawk', tsm), credentials, artifacts); } // Successful authentication @@ -216,7 +214,7 @@ exports.authenticate = function (req, credentialsFunc, options, callback) { exports.authenticatePayload = function (payload, credentials, artifacts, contentType) { - const calculatedHash = Crypto.calculatePayloadHash(payload, credentials.algorithm, contentType); + var calculatedHash = Crypto.calculatePayloadHash(payload, credentials.algorithm, contentType); return Cryptiles.fixedTimeComparison(calculatedHash, artifacts.hash); }; @@ -287,18 +285,18 @@ exports.header = function (credentials, artifacts, options) { artifacts.hash = Crypto.calculatePayloadHash(options.payload, credentials.algorithm, options.contentType); } - const mac = Crypto.calculateMac('response', credentials, artifacts); + var mac = Crypto.calculateMac('response', credentials, artifacts); // Construct header - let header = 'Hawk mac="' + mac + '"' + + var header = 'Hawk mac="' + mac + '"' + (artifacts.hash ? ', hash="' + artifacts.hash + '"' : ''); if (artifacts.ext !== null && artifacts.ext !== undefined && artifacts.ext !== '') { // Other falsey values allowed - header = header + ', ext="' + Hoek.escapeHeaderAttribute(artifacts.ext) + '"'; + header += ', ext="' + Hoek.escapeHeaderAttribute(artifacts.ext) + '"'; } return header; @@ -321,11 +319,11 @@ exports.authenticateBewit = function (req, credentialsFunc, options, callback) { // Application time - const now = Utils.now(options.localtimeOffsetMsec); + var now = Utils.now(options.localtimeOffsetMsec); // Convert node Http request object to a request configuration object - const request = Utils.parseRequest(req, options); + var request = Utils.parseRequest(req, options); if (request instanceof Error) { return callback(Boom.badRequest(request.message)); } @@ -336,15 +334,15 @@ exports.authenticateBewit = function (req, credentialsFunc, options, callback) { return callback(Boom.badRequest('Resource path exceeds max length')); } - const resource = request.url.match(internals.bewitRegex); + var resource = request.url.match(internals.bewitRegex); if (!resource) { - return callback(Utils.unauthorized()); + return callback(Boom.unauthorized(null, 'Hawk')); } // Bewit not empty if (!resource[3]) { - return callback(Utils.unauthorized('Empty bewit')); + return callback(Boom.unauthorized('Empty bewit', 'Hawk')); } // Verify method is GET @@ -352,7 +350,7 @@ exports.authenticateBewit = function (req, credentialsFunc, options, callback) { if (request.method !== 'GET' && request.method !== 'HEAD') { - return callback(Utils.unauthorized('Invalid method')); + return callback(Boom.unauthorized('Invalid method', 'Hawk')); } // No other authentication @@ -363,19 +361,19 @@ exports.authenticateBewit = function (req, credentialsFunc, options, callback) { // Parse bewit - const bewitString = Hoek.base64urlDecode(resource[3]); + var bewitString = Hoek.base64urlDecode(resource[3]); if (bewitString instanceof Error) { return callback(Boom.badRequest('Invalid bewit encoding')); } // Bewit format: id\exp\mac\ext ('\' is used because it is a reserved header attribute character) - const bewitParts = bewitString.split('\\'); + var bewitParts = bewitString.split('\\'); if (bewitParts.length !== 4) { return callback(Boom.badRequest('Invalid bewit structure')); } - const bewit = { + var bewit = { id: bewitParts[0], exp: parseInt(bewitParts[1], 10), mac: bewitParts[2], @@ -391,27 +389,27 @@ exports.authenticateBewit = function (req, credentialsFunc, options, callback) { // Construct URL without bewit - let url = resource[1]; + var url = resource[1]; if (resource[4]) { - url = url + resource[2] + resource[4]; + url += resource[2] + resource[4]; } // Check expiration if (bewit.exp * 1000 <= now) { - return callback(Utils.unauthorized('Access expired'), null, bewit); + return callback(Boom.unauthorized('Access expired', 'Hawk'), null, bewit); } // Fetch Hawk credentials - credentialsFunc(bewit.id, (err, credentials) => { + credentialsFunc(bewit.id, function (err, credentials) { if (err) { return callback(err, credentials || null, bewit.ext); } if (!credentials) { - return callback(Utils.unauthorized('Unknown credentials'), null, bewit); + return callback(Boom.unauthorized('Unknown credentials', 'Hawk'), null, bewit); } if (!credentials.key || @@ -426,7 +424,7 @@ exports.authenticateBewit = function (req, credentialsFunc, options, callback) { // Calculate MAC - const mac = Crypto.calculateMac('bewit', credentials, { + var mac = Crypto.calculateMac('bewit', credentials, { ts: bewit.exp, nonce: '', method: 'GET', @@ -437,7 +435,7 @@ exports.authenticateBewit = function (req, credentialsFunc, options, callback) { }); if (!Cryptiles.fixedTimeComparison(mac, bewit.mac)) { - return callback(Utils.unauthorized('Bad mac'), credentials, bewit); + return callback(Boom.unauthorized('Bad mac', 'Hawk'), credentials, bewit); } // Successful authentication @@ -463,7 +461,7 @@ exports.authenticateMessage = function (host, port, message, authorization, cred // Application time - const now = Utils.now(options.localtimeOffsetMsec); // Measure now before any other processing + var now = Utils.now(options.localtimeOffsetMsec); // Measure now before any other processing // Validate authorization @@ -478,14 +476,14 @@ exports.authenticateMessage = function (host, port, message, authorization, cred // Fetch Hawk credentials - credentialsFunc(authorization.id, (err, credentials) => { + credentialsFunc(authorization.id, function (err, credentials) { if (err) { return callback(err, credentials || null); } if (!credentials) { - return callback(Utils.unauthorized('Unknown credentials')); + return callback(Boom.unauthorized('Unknown credentials', 'Hawk')); } if (!credentials.key || @@ -500,40 +498,40 @@ exports.authenticateMessage = function (host, port, message, authorization, cred // Construct artifacts container - const artifacts = { + var artifacts = { ts: authorization.ts, nonce: authorization.nonce, - host, - port, + host: host, + port: port, hash: authorization.hash }; // Calculate MAC - const mac = Crypto.calculateMac('message', credentials, artifacts); + var mac = Crypto.calculateMac('message', credentials, artifacts); if (!Cryptiles.fixedTimeComparison(mac, authorization.mac)) { - return callback(Utils.unauthorized('Bad mac'), credentials); + return callback(Boom.unauthorized('Bad mac', 'Hawk'), credentials); } // Check payload hash - const hash = Crypto.calculatePayloadHash(message, credentials.algorithm); + var hash = Crypto.calculatePayloadHash(message, credentials.algorithm); if (!Cryptiles.fixedTimeComparison(hash, authorization.hash)) { - return callback(Utils.unauthorized('Bad message hash'), credentials); + return callback(Boom.unauthorized('Bad message hash', 'Hawk'), credentials); } // Check nonce - options.nonceFunc(credentials.key, authorization.nonce, authorization.ts, (err) => { + options.nonceFunc(credentials.key, authorization.nonce, authorization.ts, function (err) { if (err) { - return callback(Utils.unauthorized('Invalid nonce'), credentials); + return callback(Boom.unauthorized('Invalid nonce', 'Hawk'), credentials); } // Check timestamp staleness if (Math.abs((authorization.ts * 1000) - now) > (options.timestampSkewSec * 1000)) { - return callback(Utils.unauthorized('Stale timestamp'), credentials); + return callback(Boom.unauthorized('Stale timestamp'), credentials); } // Successful authentication |