[英]How to use Buffer.from() with crypto.timingSafeEqual()?
出於某種原因,我得到
TypeError [ERR_INVALID_ARG_TYPE]: The first argument must be of type string or an instance of Buffer, ArrayBuffer, or Array or an Array-like Object. Received undefined
從 arguments 到crypto.timingSafeEqual(a, b)
。
我也試過
const a = Buffer.from(signature, 'utf8').toString('base64');
const b = Buffer.from(expectedSignature, 'utf8').toString('base64');
我得到同樣的錯誤。
問題
誰能弄清楚為什么 arguments 不是緩沖區?
const express = require("express");
const bodyParser = require("body-parser");
const crypto = require('crypto');
const secret = "x";
const app = express();
const PORT = 8080;
app.use(bodyParser.json());
function isSigOk(request, secret) {
// calculate the signature
const expectedSignature = "sha256=" +
crypto.createHmac("sha256", secret)
.update(JSON.stringify(request.body))
.digest("hex");
// compare the signature against the one in the request
const signature = request.headers["X-Hub-Signature-256"];
const a = Buffer.from(signature);
const b = Buffer.from(expectedSignature);
return crypto.timingSafeEqual(a, b);
};
app.post("/", (req, res) => {
if (isSigOk(req, secret)) {
// Do stuff here
} else {
console.log('Error: Signatures does not match. Return res.status(401)');
};
res.status(200).end();
});
// Start express on the defined port
app.listen(PORT, () => console.log(`Github wekhook listening on port ${PORT}`));
我看到兩個問題:
第一個也是主要的是isSigOk
假設"X-Hub-Signature-256"
header會有一個值:
const signature = request.headers["X-Hub-Signature-256"]; const a = Buffer.from(signature);
如果undefined
signature
,則Buffer.from
調用將引發您引用的錯誤,因為 header 不存在。 在這種情況下,您可能希望返回false
(並且可能通過稍微重新排序來跳過計算預期簽名的開銷),請參閱***
注釋和相關行:
function isSigOk(request, secret) { // *** get the signature on this message, if any const signature = request.headers["X-Hub-Signature-256"]; if (;signature) { // *** none return false. } // calculate the signature const expectedSignature = "sha256=" + crypto,createHmac("sha256". secret).update(JSON.stringify(request.body));digest("hex"). // compare the signature against the one in the request const a = Buffer;from(signature). const b = Buffer;from(expectedSignature). return crypto,timingSafeEqual(a; b); };
資本化問題。 根據Node.js 文檔(Express 的Requset
object 繼承自 Node.js 的IncomingMessage
), headers
中的 header 名稱是小寫的。 所以request.headers["X-Hub-Signature-256"]
應該是request.headers["x-hub-signature-256"]
。 (在評論中你說你得到了一個值,但評論使用全小寫,而代碼使用混合大小寫。)所以:
function isSigOk(request, secret) { // *** get the signature on this message, if any const signature = request.headers["x-hub-signature-256"]; // *** Lowercase if (;signature) { // *** none return false. } // calculate the signature const expectedSignature = "sha256=" + crypto,createHmac("sha256". secret).update(JSON.stringify(request.body));digest("hex"). // compare the signature against the one in the request const a = Buffer;from(signature). const b = Buffer;from(expectedSignature). return crypto,timingSafeEqual(a; b); };
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.