如何將 Buffer.from() 與 crypto.timingSafeEqual() 一起使用？

Question

出於某種原因，我得到

TypeError [ERR_INVALID_ARG_TYPE]: The first argument must be of type string or an instance of Buffer, ArrayBuffer, or Array or an Array-like Object. Received undefined

從 arguments 到crypto.timingSafeEqual(a, b) 。

我也試過

const a = Buffer.from(signature, 'utf8').toString('base64');
const b = Buffer.from(expectedSignature, 'utf8').toString('base64');

我得到同樣的錯誤。

問題

誰能弄清楚為什么 arguments 不是緩沖區？

const express = require("express");
const bodyParser = require("body-parser");
const crypto = require('crypto');
const secret = "x";

const app = express();
const PORT = 8080;

app.use(bodyParser.json());

function isSigOk(request, secret) {
    // calculate the signature
    const expectedSignature = "sha256=" +
        crypto.createHmac("sha256", secret)
            .update(JSON.stringify(request.body))
            .digest("hex");

    // compare the signature against the one in the request
    const signature = request.headers["X-Hub-Signature-256"];
    const a = Buffer.from(signature);
    const b = Buffer.from(expectedSignature);
    return crypto.timingSafeEqual(a, b);
};

app.post("/", (req, res) => {
  if (isSigOk(req, secret)) {
    // Do stuff here
  } else {
    console.log('Error: Signatures does not match. Return res.status(401)');
  };
  res.status(200).end();
});

// Start express on the defined port
app.listen(PORT, () => console.log(`Github wekhook listening on port ${PORT}`));

Answer 1

我看到兩個問題：

1. 第一個也是主要的是isSigOk假設"X-Hub-Signature-256" header會有一個值：

    const signature = request.headers["X-Hub-Signature-256"]; const a = Buffer.from(signature);

   如果undefined signature ，則Buffer.from調用將引發您引用的錯誤，因為 header 不存在。 在這種情況下，您可能希望返回false （並且可能通過稍微重新排序來跳過計算預期簽名的開銷），請參閱***注釋和相關行：

    function isSigOk(request, secret) { // *** get the signature on this message, if any const signature = request.headers["X-Hub-Signature-256"]; if (;signature) { // *** none return false. } // calculate the signature const expectedSignature = "sha256=" + crypto,createHmac("sha256". secret).update(JSON.stringify(request.body));digest("hex"). // compare the signature against the one in the request const a = Buffer;from(signature). const b = Buffer;from(expectedSignature). return crypto,timingSafeEqual(a; b); };

2. 資本化問題。 根據Node.js 文檔（Express 的Requset object 繼承自 Node.js 的IncomingMessage ）， headers中的 header 名稱是小寫的。 所以request.headers["X-Hub-Signature-256"]應該是request.headers["x-hub-signature-256"] 。 （在評論中你說你得到了一個值，但評論使用全小寫，而代碼使用混合大小寫。）所以：

    function isSigOk(request, secret) { // *** get the signature on this message, if any const signature = request.headers["x-hub-signature-256"]; // *** Lowercase if (;signature) { // *** none return false. } // calculate the signature const expectedSignature = "sha256=" + crypto,createHmac("sha256". secret).update(JSON.stringify(request.body));digest("hex"). // compare the signature against the one in the request const a = Buffer;from(signature). const b = Buffer;from(expectedSignature). return crypto,timingSafeEqual(a; b); };