Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

alexa-ability-express-handler

Package Overview
Dependencies
Maintainers
1
Versions
10
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

alexa-ability-express-handler - npm Package Compare versions

Comparing version 0.4.2 to 0.4.4

63

lib/verifyRequest.js

@@ -52,3 +52,3 @@ 'use strict';

var log = (0, _debug2.default)('alexa-ability-express-handler:verifyRequest');
var debug = (0, _debug2.default)('alexa-ability-express-handler:verifyRequest');
var MAX_TOLERANCE = 60 * 2.5 * 1000; // 2.5 minutes

@@ -65,17 +65,16 @@ var CERT_HEADER = 'SignatureCertChainUrl';

function verifyRequest() {
var _ref = arguments.length <= 0 || arguments[0] === undefined ? {} : arguments[0];
var _ref = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {},
_ref$tolerance = _ref.tolerance,
tolerance = _ref$tolerance === undefined ? MAX_TOLERANCE : _ref$tolerance;
var _ref$tolerance = _ref.tolerance;
var tolerance = _ref$tolerance === undefined ? MAX_TOLERANCE : _ref$tolerance;
return function verifyRequestMiddleware(req, res, next) {
// get data
var chainUrl = req.headers[CERT_HEADER];
var sig = req.headers[SIG_HEADER];
var chainUrl = req.get(CERT_HEADER);
var sig = req.get(SIG_HEADER);
var body = req.body;
var timestamp = (0, _get2.default)(body, 'request.timestamp', DEFAULT_TIME);
log('cert-url: %s', chainUrl);
log('signature: %s', sig);
log('timestamp: %s', timestamp);
log('checking body: %o', body);
debug('cert-url: %s', chainUrl);
debug('signature: %s', sig);
debug('timestamp: %s', timestamp);
debug('checking body: %o', body);

@@ -97,6 +96,6 @@ // basic checks

}).then(function () {
log('verified request');
debug('verified request');
next();
}, function (err) {
log('error verifiying request: %s', err);
debug('error verifiying request: %s', err);
next(err);

@@ -121,9 +120,8 @@ });

function validateUrl(url) {
var _parse = (0, _url.parse)(url);
var _parse = (0, _url.parse)(url),
protocol = _parse.protocol,
hostname = _parse.hostname,
pathname = _parse.pathname,
port = _parse.port;
var protocol = _parse.protocol;
var hostname = _parse.hostname;
var pathname = _parse.pathname;
var port = _parse.port;
var path = (0, _path.normalize)(pathname);

@@ -136,3 +134,3 @@

log('valid url: %s', url);
debug('valid url: %s', url);

@@ -151,3 +149,3 @@ // return the url to make promise chaining easier

function getCertificate(url) {
log('getting certificate');
debug('getting certificate');

@@ -157,3 +155,3 @@ return new _bluebird2.default(function (res, rej) {

if (err) {
log('error getting certificate');
debug('error getting certificate');
return rej(err);

@@ -163,7 +161,7 @@ }

if (resp.statusCode !== 200) {
log('invalid status code: %s', resp.statusCode);
debug('invalid status code: %s', resp.statusCode);
return rej(new Error('Invalid certificate response.'));
}
log('got certificate');
debug('got certificate');
res(body);

@@ -181,10 +179,9 @@ });

function validateCertificate(cert) {
log('validating certificate');
debug('validating certificate');
var _parseCert = (0, _x2.parseCert)(cert);
var _parseCert = (0, _x2.parseCert)(cert),
altNames = _parseCert.altNames,
notBefore = _parseCert.notBefore,
notAfter = _parseCert.notAfter;
var altNames = _parseCert.altNames;
var notBefore = _parseCert.notBefore;
var notAfter = _parseCert.notAfter;
var now = new Date();

@@ -196,3 +193,3 @@

log('valid certificate');
debug('valid certificate');

@@ -211,3 +208,3 @@ // return cert to make promise chaining easier

function validateBody(cert, sig, body) {
log('checking body against signature');
debug('checking body against signature');
var verifier = _crypto2.default.createVerify('SHA1');

@@ -220,3 +217,3 @@ verifier.update(JSON.stringify(body));

log('signature matches body');
debug('signature matches body');
}

4

package.json
{
"name": "alexa-ability-express-handler",
"version": "0.4.2",
"version": "0.4.4",
"description": "Expose an alexa-ability as an express route",

@@ -47,3 +47,3 @@ "main": "lib/index.js",

"request": "^2.69.0",
"x509": "^0.2.3"
"x509": "^0.3.0"
},

@@ -50,0 +50,0 @@ "devDependencies": {

20

test/verifyRequest-test.js

@@ -26,3 +26,7 @@ import {

const next = sinon.spy();
const req = { body, headers: {}};
const req = { // TODO fix these god awful stubs
get(header) { return this.headers[header.toLowerCase()] },
headers: {},
body
};
middleware(req, null, next);

@@ -35,6 +39,9 @@ expect(next.args[0][0]).to.be.instanceOf(Error);

const next = sinon.spy();
const req = { headers: {
SignatureCertChainUrl: 'asdasfas',
Signature: 'asdfasfdas'
}};
const req = { // TODO fix these god awful stubs
get(header) { return this.headers[header.toLowerCase()] },
headers: {
SignatureCertChainUrl: 'asdasfas',
Signature: 'asdfasfdas'
}
};
middleware(req, null, next);

@@ -47,3 +54,4 @@ expect(next.args[0][0]).to.be.instanceOf(Error);

const next = sinon.spy();
const req = {
const req = { // TODO fix these god awful stubs
get(header) { return this.headers[header.toLowerCase()] },
headers: {

@@ -50,0 +58,0 @@ SignatureCertChainUrl: 'asdasfas',

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc