Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
grpc-hmac-interceptor
Advanced tools
Readme
This TypeScript library provides an HMAC authentication interceptor for gRPC, simplifying the process of setting up HMAC authentication for both server and client. It utilizes grpc-js, the official gRPC library for Node.js, employing interceptors to seamlessly integrate HMAC authentication into the gRPC server and client.
npm install --save-dev grpc-hmac-interceptor
Add the HMAC server interceptor to the gRPC server.
// keyId for which secret_key is returned by hmac.GetSecret func type
const getSecret: GetSecret = (keyId: string) => {
// return secret_key for the keyId
return secretKey;
};
// create HMAC server interceptor
const interceptor = NewServerInterceptor(getSecret);
let server: Server = new Server({ interceptors: [interceptor.WithInterceptor()] });
Create the HMAC client interceptor using the provided function NewClientInterceptor
. By default, the interceptor expects the proto to be loaded by @grpc/proto-loader
, and the @grpc/grpc-js
library can be used. If the proto is loaded by protoc, you need to pass true
as the third argument in the interceptor function call.
@grpc/proto-loader
// keyId and secretKey for HMAC authentication
const target = "localhost:50051";
const interceptor = NewClientInterceptor(keyId, secretKey);
// create gRPC client
const client: ServiceClient = new construct(target, credentials.createInsecure(), {
interceptors: [interceptor.WithInterceptor()]
});
In this case, the proto is loaded by @grpc/proto-loader
, and you can use the @grpc/grpc-js
library for your gRPC client.
protoc
or grpc-tools
// keyId and secretKey for HMAC authentication
const target = "localhost:50051";
const interceptor = NewClientInterceptor(keyId, secretKey, true);
// create gRPC client
const client: ServiceClient = new construct(target, credentials.createInsecure(), {
interceptors: [interceptor.WithInterceptor()]
});
In this case, the proto is loaded by protoc
or grpc-tools
, as the messaged wrapped with jspb.Message
, so interceptor needs to handle the message accordingly.
# go to example directory
pushd example
# install the dependencies
npm install
# Update the grpc-hmac-interceptor to the latest version
npm install grpc-hmac-interceptor@latest # <latest> is the latest version
# run the example # it will start server with HMAC interceptor and two clients with HMAC interceptor, one with valid HMAC and other with invalid HMAC signature
./run.sh
Steps for generating the HMAC:
request=<stringified request>;method=<method name>
, where request
is the stringified request payload and method
is the name of the method being called, e.g. request={"name":"John"};method=/example.UserService/GetUser
. If the request payload is empty, the message will be just method name, e.g. method=/example.UserService/GetUser
.Steps for verifying the HMAC:
x-hmac-key-id
and x-hmac-signature
to the outgoing request metadata.x-hmac-key-id
and x-hmac-signature
from the incoming request metadata, and then verify the HMAC signature using the x-hmac-key-id
and the secret key associated with the key id.UNAUTHENTICATED
error will be returned.We welcome contributions to ts-grpc-hmac! Please see the CONTRIBUTING.md file for more information.
FAQs
Nodejs library for effortless HMAC Client and Server interceptors in gRPC applications.
The npm package grpc-hmac-interceptor receives a total of 1 weekly downloads. As such, grpc-hmac-interceptor popularity was classified as not popular.
We found that grpc-hmac-interceptor demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.