@levrbet/shared 0.1.97 → 0.1.99
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/core/types/auth.types.d.ts +1 -1
- package/dist/server/middleware/auth/cloudflare.handler.d.ts +1 -1
- package/dist/server/middleware/auth/cloudflare.handler.js.map +1 -1
- package/dist/server/middleware/auth/hmac.handler.d.ts +1 -8
- package/dist/server/middleware/auth/hmac.handler.js +36 -16
- package/dist/server/middleware/auth/hmac.handler.js.map +1 -1
- package/dist/server/middleware/auth/privy.handler.d.ts +1 -1
- package/dist/server/middleware/auth/privy.handler.js.map +1 -1
- package/dist/server/middleware/multiAuth.examples.d.ts +2 -2
- package/dist/server/middleware/multiAuth.examples.js +2 -2
- package/dist/server/middleware/multiAuth.middleware.js.map +1 -1
- package/dist/server/services/crypto.service.d.ts +4 -4
- package/dist/server/services/crypto.service.js +24 -19
- package/dist/server/services/crypto.service.js.map +1 -1
- package/dist/server/services/hmac.service.d.ts +27 -0
- package/dist/server/services/hmac.service.js +36 -0
- package/dist/server/services/hmac.service.js.map +1 -0
- package/dist/server/services/index.d.ts +1 -0
- package/dist/server/services/index.js +1 -0
- package/dist/server/services/index.js.map +1 -1
- package/dist/server/types/auth.types.d.ts +8 -0
- package/dist/server/types/auth.types.js +2 -0
- package/dist/server/types/auth.types.js.map +1 -0
- package/dist/server/types/index.d.ts +1 -0
- package/dist/server/types/index.js +1 -0
- package/dist/server/types/index.js.map +1 -1
- package/package.json +1 -1
|
@@ -15,7 +15,7 @@ export interface MultiAuthOptions {
|
|
|
15
15
|
methods: LevrAuth[];
|
|
16
16
|
/**
|
|
17
17
|
* Required API key scopes (applies to HMAC and SERVICE_HMAC auth only).
|
|
18
|
-
* If specified, the API key must have
|
|
18
|
+
* If specified, the API key must have all of these scopes.
|
|
19
19
|
*/
|
|
20
20
|
requiredScopes?: ApiKeyScope[];
|
|
21
21
|
/**
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cloudflare.handler.js","sourceRoot":"","sources":["../../../../src/server/middleware/auth/cloudflare.handler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AACxC,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAA;
|
|
1
|
+
{"version":3,"file":"cloudflare.handler.js","sourceRoot":"","sources":["../../../../src/server/middleware/auth/cloudflare.handler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAA;AACxC,OAAO,EAAE,qBAAqB,EAAE,MAAM,gBAAgB,CAAA;AAEtD,OAAO,2BAA2B,CAAA;AAElC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,GAAY;IACnD,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,yBAAyB,CAAC,EAAE,QAAQ,EAAE,CAAA;IAE9D,IAAI,CAAC,GAAG,EAAE,CAAC;QACP,OAAO;YACH,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,wCAAwC;YAC/C,UAAU,EAAE,GAAG;SAClB,CAAA;IACL,CAAC;IAED,IAAI,CAAC;QACD,MAAM,qBAAqB,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;QAC1C,GAAG,CAAC,UAAU,GAAG,QAAQ,CAAC,UAAU,CAAA;QACpC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;IAC5B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACX,MAAM,QAAQ,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;QACjE,OAAO,CAAC,KAAK,CAAC,oCAAoC,EAAE,QAAQ,CAAC,CAAA;QAC7D,OAAO;YACH,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,2BAA2B,QAAQ,EAAE;YAC5C,UAAU,EAAE,GAAG;SAClB,CAAA;IACL,CAAC;AACL,CAAC"}
|
|
@@ -1,14 +1,7 @@
|
|
|
1
1
|
import type { Request } from "express";
|
|
2
2
|
import { MultiAuthOptions } from "../../../core";
|
|
3
|
+
import type { AuthResult } from "../../types/auth.types";
|
|
3
4
|
import "../../types/express.types";
|
|
4
|
-
/**
|
|
5
|
-
* Authentication result from individual auth handlers
|
|
6
|
-
*/
|
|
7
|
-
export interface AuthResult {
|
|
8
|
-
success: boolean;
|
|
9
|
-
error?: string;
|
|
10
|
-
statusCode?: number;
|
|
11
|
-
}
|
|
12
5
|
/**
|
|
13
6
|
* Handles HMAC authentication (user API keys)
|
|
14
7
|
*/
|
|
@@ -1,16 +1,17 @@
|
|
|
1
1
|
import crypto from "crypto";
|
|
2
2
|
import ms from "ms";
|
|
3
3
|
import { ApiKeyScope, LevrAuth } from "../../../core";
|
|
4
|
+
import { redisClientManager } from "../../config";
|
|
4
5
|
import { apiKeyRepository } from "../../repositories";
|
|
5
6
|
import { cryptoService } from "../../services";
|
|
6
7
|
import "../../types/express.types";
|
|
7
8
|
/**
|
|
8
|
-
* Validates that the API key has the required scopes
|
|
9
|
+
* Validates that the API key has all the required scopes
|
|
9
10
|
*/
|
|
10
11
|
function validateScopes(apiKeyScopes, requiredScopes) {
|
|
11
12
|
if (!requiredScopes || requiredScopes.length === 0)
|
|
12
13
|
return true;
|
|
13
|
-
return requiredScopes.
|
|
14
|
+
return requiredScopes.every((scope) => apiKeyScopes.includes(scope));
|
|
14
15
|
}
|
|
15
16
|
/**
|
|
16
17
|
* Determines required scopes based on HTTP method and options
|
|
@@ -25,6 +26,22 @@ function getRequiredScopes(method, options) {
|
|
|
25
26
|
}
|
|
26
27
|
return scopes;
|
|
27
28
|
}
|
|
29
|
+
/**
|
|
30
|
+
* Prevents nonce replay attacks by ensuring each nonce is only used once per API key
|
|
31
|
+
*/
|
|
32
|
+
async function validateNonce(apiKeyId, nonce) {
|
|
33
|
+
const key = `hmac_nonce:${apiKeyId}:${nonce}`;
|
|
34
|
+
try {
|
|
35
|
+
// Set nonce with 2 minute expiry, NX ensures it's only set if it doesn't exist
|
|
36
|
+
const result = await redisClientManager.primaryClient.set(key, "1", "EX", 120, "NX");
|
|
37
|
+
return result === "OK"; // Returns OK only if key was set (nonce not used before)
|
|
38
|
+
}
|
|
39
|
+
catch (err) {
|
|
40
|
+
console.error("Nonce validation error:", err);
|
|
41
|
+
// Fail open on Redis errors to avoid blocking legitimate requests
|
|
42
|
+
return true;
|
|
43
|
+
}
|
|
44
|
+
}
|
|
28
45
|
/**
|
|
29
46
|
* Shared HMAC authentication logic for both user and service API keys
|
|
30
47
|
*/
|
|
@@ -44,9 +61,8 @@ async function handleHmacAuthBase(req, options, isServiceAuth) {
|
|
|
44
61
|
}
|
|
45
62
|
// Fetch API key
|
|
46
63
|
const apiKey = await apiKeyRepository.getApiKey({ apiKeyId });
|
|
47
|
-
if (!apiKey)
|
|
64
|
+
if (!apiKey)
|
|
48
65
|
return { success: false, error: "Unknown API key", statusCode: 401 };
|
|
49
|
-
}
|
|
50
66
|
// Validate key type matches auth method
|
|
51
67
|
if (isServiceAuth && !apiKey.isService) {
|
|
52
68
|
return { success: false, error: "This endpoint requires a service API key", statusCode: 403 };
|
|
@@ -79,38 +95,42 @@ async function handleHmacAuthBase(req, options, isServiceAuth) {
|
|
|
79
95
|
}
|
|
80
96
|
// Verify HMAC signature
|
|
81
97
|
try {
|
|
82
|
-
const
|
|
98
|
+
const secretKey = await cryptoService.getSecretKey(apiKeyId, apiKey.ciphertext);
|
|
83
99
|
const method = req.method.toUpperCase();
|
|
84
100
|
const path = req.originalUrl.split("?")[0];
|
|
85
101
|
const timestamp = req.header("x-request-timestamp");
|
|
86
|
-
const nonce = req.header("x-request-nonce")
|
|
102
|
+
const nonce = req.header("x-request-nonce");
|
|
87
103
|
if (!timestamp) {
|
|
88
104
|
return { success: false, error: "Missing x-request-timestamp header", statusCode: 400 };
|
|
89
105
|
}
|
|
106
|
+
if (!nonce) {
|
|
107
|
+
return { success: false, error: "Missing x-request-nonce header", statusCode: 400 };
|
|
108
|
+
}
|
|
90
109
|
const ts = parseInt(timestamp, 10);
|
|
91
|
-
if (Number.isNaN(ts))
|
|
110
|
+
if (Number.isNaN(ts))
|
|
92
111
|
return { success: false, error: "Invalid timestamp format", statusCode: 400 };
|
|
93
|
-
|
|
94
|
-
//
|
|
95
|
-
if (Math.abs(Date.now() - ts) > ms("
|
|
112
|
+
// Prevent replay attacks (2 minutes window)
|
|
113
|
+
// TODO: change back to 2m
|
|
114
|
+
if (Math.abs(Date.now() - ts) > ms("1 year")) {
|
|
96
115
|
return { success: false, error: "Request timestamp expired", statusCode: 401 };
|
|
97
116
|
}
|
|
98
|
-
const expectedSig = cryptoService.signRequest({ method, path, ts, body: req.body, nonce,
|
|
117
|
+
const expectedSig = cryptoService.signRequest({ method, path, ts, body: req.body, nonce, secretKey });
|
|
99
118
|
const providedSig = sigB64;
|
|
100
119
|
const ok = crypto.timingSafeEqual(Buffer.from(expectedSig, "base64"), Buffer.from(providedSig, "base64"));
|
|
101
|
-
if (!ok)
|
|
120
|
+
if (!ok)
|
|
102
121
|
return { success: false, error: "Invalid signature", statusCode: 401 };
|
|
103
|
-
|
|
104
|
-
|
|
122
|
+
// Prevent nonce replay attacks
|
|
123
|
+
const nonceValid = await validateNonce(apiKeyId, nonce);
|
|
124
|
+
if (!nonceValid)
|
|
125
|
+
return { success: false, error: "Nonce has already been used", statusCode: 401 };
|
|
105
126
|
req.apiUser = { id: apiKey.userId, isService: apiKey.isService, service: apiKey.service };
|
|
106
127
|
req.ethAddress = apiKey.ethAddress;
|
|
107
128
|
req.authMethod = isServiceAuth ? LevrAuth.SERVICE_HMAC : LevrAuth.HMAC;
|
|
108
|
-
// Update last used timestamp
|
|
109
129
|
await apiKeyRepository.updateApiKey({ apiKeyId }, { lastUsedAt: new Date(), usageCount: { increment: 1 } });
|
|
110
130
|
return { success: true };
|
|
111
131
|
}
|
|
112
132
|
catch (err) {
|
|
113
|
-
console.error(
|
|
133
|
+
console.error(`HMAC verification error:`, err);
|
|
114
134
|
return { success: false, error: "Signature verification failed", statusCode: 401 };
|
|
115
135
|
}
|
|
116
136
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"hmac.handler.js","sourceRoot":"","sources":["../../../../src/server/middleware/auth/hmac.handler.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAA;AAE3B,OAAO,EAAE,MAAM,IAAI,CAAA;AAEnB,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAoB,MAAM,eAAe,CAAA;AAEvE,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;
|
|
1
|
+
{"version":3,"file":"hmac.handler.js","sourceRoot":"","sources":["../../../../src/server/middleware/auth/hmac.handler.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAA;AAE3B,OAAO,EAAE,MAAM,IAAI,CAAA;AAEnB,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAoB,MAAM,eAAe,CAAA;AAEvE,OAAO,EAAE,kBAAkB,EAAE,MAAM,cAAc,CAAA;AACjD,OAAO,EAAE,gBAAgB,EAAE,MAAM,oBAAoB,CAAA;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAA;AAE9C,OAAO,2BAA2B,CAAA;AAElC;;GAEG;AACH,SAAS,cAAc,CAAC,YAAiC,EAAE,cAAmC;IAC1F,IAAI,CAAC,cAAc,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAA;IAC/D,OAAO,cAAc,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAA;AACxE,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CAAC,MAAc,EAAE,OAAyB;IAChE,MAAM,MAAM,GAAG,OAAO,CAAC,cAAc,IAAI,EAAE,CAAA;IAC3C,MAAM,WAAW,GAAG,OAAO,CAAC,qBAAqB,KAAK,KAAK,CAAA,CAAC,eAAe;IAE3E,IAAI,WAAW,IAAI,CAAC,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;QACnF,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;YACtC,OAAO,CAAC,GAAG,MAAM,EAAE,WAAW,CAAC,KAAK,CAAC,CAAA;QACzC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAA;AACjB,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,aAAa,CAAC,QAAgB,EAAE,KAAa;IACxD,MAAM,GAAG,GAAG,cAAc,QAAQ,IAAI,KAAK,EAAE,CAAA;IAC7C,IAAI,CAAC;QACD,+EAA+E;QAC/E,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,IAAI,CAAC,CAAA;QACpF,OAAO,MAAM,KAAK,IAAI,CAAA,CAAC,yDAAyD;IACpF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACX,OAAO,CAAC,KAAK,CAAC,yBAAyB,EAAE,GAAG,CAAC,CAAA;QAC7C,kEAAkE;QAClE,OAAO,IAAI,CAAA;IACf,CAAC;AACL,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,kBAAkB,CAAC,GAAY,EAAE,OAAyB,EAAE,aAAsB;IAC7F,6BAA6B;IAC7B,MAAM,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAA;IACxC,IAAI,CAAC,IAAI,EAAE,CAAC;QACR,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,8BAA8B,EAAE,UAAU,EAAE,GAAG,EAAE,CAAA;IACrF,CAAC;IAED,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAA;IACrD,IAAI,CAAC,CAAC,EAAE,CAAC;QACL,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,qCAAqC,EAAE,UAAU,EAAE,GAAG,EAAE,CAAA;IAC5F,CAAC;IAED,MAAM,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,GAAG,CAAC,CAAA;IAC9B,IAAI,CAAC,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,qCAAqC,EAAE,UAAU,EAAE,GAAG,EAAE,CAAA;IAC5F,CAAC;IAED,gBAAgB;IAChB,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAA;IAC7D,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,iBAAiB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAA;IAEjF,wCAAwC;IACxC,IAAI,aAAa,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QACrC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,0CAA0C,EAAE,UAAU,EAAE,GAAG,EAAE,CAAA;IACjG,CAAC;IACD,IAAI,CAAC,aAAa,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,gDAAgD,EAAE,UAAU,EAAE,GAAG,EAAE,CAAA;IACvG,CAAC;IAED,mBAAmB;IACnB,IAAI,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;QACpD,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,qBAAqB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAA;IAC5E,CAAC;IAED,mDAAmD;IACnD,IAAI,aAAa,IAAI,OAAO,CAAC,eAAe,IAAI,OAAO,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjF,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;YACvE,OAAO;gBACH,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,kCAAkC,OAAO,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,MAAM,CAAC,OAAO,EAAE;gBACtG,UAAU,EAAE,GAAG;aAClB,CAAA;QACL,CAAC;IACL,CAAC;IAED,kBAAkB;IAClB,MAAM,cAAc,GAAG,iBAAiB,CAAC,GAAG,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC7D,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,MAAM,EAAE,cAAc,CAAC,EAAE,CAAC;QACjD,OAAO;YACH,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,kCAAkC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;YACpE,UAAU,EAAE,GAAG;SAClB,CAAA;IACL,CAAC;IAED,wBAAwB;IACxB,IAAI,CAAC;QACD,MAAM,SAAS,GAAG,MAAM,aAAa,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC,CAAA;QAE/E,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,WAAW,EAAE,CAAA;QACvC,MAAM,IAAI,GAAG,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;QAC1C,MAAM,SAAS,GAAG,GAAG,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAA;QACnD,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAA;QAE3C,IAAI,CAAC,SAAS,EAAE,CAAC;YACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,oCAAoC,EAAE,UAAU,EAAE,GAAG,EAAE,CAAA;QAC3F,CAAC;QAED,IAAI,CAAC,KAAK,EAAE,CAAC;YACT,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,gCAAgC,EAAE,UAAU,EAAE,GAAG,EAAE,CAAA;QACvF,CAAC;QAED,MAAM,EAAE,GAAG,QAAQ,CAAC,SAAS,EAAE,EAAE,CAAC,CAAA;QAClC,IAAI,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,0BAA0B,EAAE,UAAU,EAAE,GAAG,EAAE,CAAA;QAEnG,4CAA4C;QAC5C,0BAA0B;QAC1B,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC3C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,2BAA2B,EAAE,UAAU,EAAE,GAAG,EAAE,CAAA;QAClF,CAAC;QAED,MAAM,WAAW,GAAG,aAAa,CAAC,WAAW,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC,CAAA;QACrG,MAAM,WAAW,GAAG,MAAM,CAAA;QAE1B,MAAM,EAAE,GAAG,MAAM,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,EAAE,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,CAAA;QACzG,IAAI,CAAC,EAAE;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,mBAAmB,EAAE,UAAU,EAAE,GAAG,EAAE,CAAA;QAE/E,+BAA+B;QAC/B,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAA;QACvD,IAAI,CAAC,UAAU;YAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,EAAE,UAAU,EAAE,GAAG,EAAE,CAAA;QAEjG,GAAG,CAAC,OAAO,GAAG,EAAE,EAAE,EAAE,MAAM,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,EAAE,CAAA;QACzF,GAAG,CAAC,UAAU,GAAG,MAAM,CAAC,UAA4B,CAAA;QACpD,GAAG,CAAC,UAAU,GAAG,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAA;QAEtE,MAAM,gBAAgB,CAAC,YAAY,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,UAAU,EAAE,IAAI,IAAI,EAAE,EAAE,UAAU,EAAE,EAAE,SAAS,EAAE,CAAC,EAAE,EAAE,CAAC,CAAA;QAE3G,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;IAC5B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACX,OAAO,CAAC,KAAK,CAAC,0BAA0B,EAAE,GAAG,CAAC,CAAA;QAC9C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,+BAA+B,EAAE,UAAU,EAAE,GAAG,EAAE,CAAA;IACtF,CAAC;AACL,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,GAAY,EAAE,OAAyB;IACxE,OAAO,kBAAkB,CAAC,GAAG,EAAE,OAAO,EAAE,KAAK,CAAC,CAAA;AAClD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,GAAY,EAAE,OAAyB;IAC/E,OAAO,kBAAkB,CAAC,GAAG,EAAE,OAAO,EAAE,IAAI,CAAC,CAAA;AACjD,CAAC"}
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
import type { Request } from "express";
|
|
2
2
|
import { LevrAuth, PrivyRole } from "../../../core";
|
|
3
|
+
import type { AuthResult } from "../../types/auth.types";
|
|
3
4
|
import "../../types/express.types";
|
|
4
|
-
import type { AuthResult } from "./hmac.handler";
|
|
5
5
|
/**
|
|
6
6
|
* Handles Privy authentication (User or Admin)
|
|
7
7
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"privy.handler.js","sourceRoot":"","sources":["../../../../src/server/middleware/auth/privy.handler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,MAAM,CAAA;AAC5C,OAAO,EAAE,kBAAkB,EAAY,yBAAyB,EAAE,qBAAqB,EAAa,MAAM,eAAe,CAAA;AACzH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;
|
|
1
|
+
{"version":3,"file":"privy.handler.js","sourceRoot":"","sources":["../../../../src/server/middleware/auth/privy.handler.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,MAAM,CAAA;AAC5C,OAAO,EAAE,kBAAkB,EAAY,yBAAyB,EAAE,qBAAqB,EAAa,MAAM,eAAe,CAAA;AACzH,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAE7C,OAAO,2BAA2B,CAAA;AAElC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,GAAY,EAAE,IAAe,EAAE,QAAkB;IACnF,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,yBAAyB,CAAC,EAAE,QAAQ,EAAE,CAAA;IACrE,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,qBAAqB,CAAC,EAAE,QAAQ,EAAE,CAAA;IACnE,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE,QAAQ,EAAE,CAAA;IAE9D,IAAI,CAAC,UAAU,IAAI,CAAC,YAAY,EAAE,CAAC;QAC/B,OAAO;YACH,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,WAAW,yBAAyB,OAAO,qBAAqB,SAAS;YAChF,UAAU,EAAE,GAAG;SAClB,CAAA;IACL,CAAC;IAED,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC,YAAY,CAAC,EAAE,UAAU,EAAE,YAAY,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,CAAA;IAEjG,IAAI,CAAC,SAAS,EAAE,CAAC;QACb,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,6BAA6B,EAAE,UAAU,EAAE,GAAG,EAAE,CAAA;IACpF,CAAC;IAED,mBAAmB;IACnB,GAAG,CAAC,SAAS,GAAG,SAAS,CAAA;IACzB,GAAG,CAAC,UAAU,GAAG,UAAU,IAAI,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAA;IACzH,GAAG,CAAC,UAAU,GAAG,QAAQ,CAAA;IAEzB,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAA;AAC5B,CAAC"}
|
|
@@ -26,7 +26,7 @@ declare const router: import("express-serve-static-core").Router;
|
|
|
26
26
|
* 'x-levr-auth-type': 'hmac',
|
|
27
27
|
* 'Authorization': 'HMAC <api-key-id>:<signature>',
|
|
28
28
|
* 'x-request-timestamp': '1234567890',
|
|
29
|
-
* 'x-request-nonce': 'random-string'
|
|
29
|
+
* 'x-request-nonce': 'random-string'
|
|
30
30
|
* }
|
|
31
31
|
* ```
|
|
32
32
|
*
|
|
@@ -36,7 +36,7 @@ declare const router: import("express-serve-static-core").Router;
|
|
|
36
36
|
* 'x-levr-auth-type': 'serviceHmac',
|
|
37
37
|
* 'Authorization': 'HMAC <api-key-id>:<signature>',
|
|
38
38
|
* 'x-request-timestamp': '1234567890',
|
|
39
|
-
* 'x-request-nonce': 'random-string'
|
|
39
|
+
* 'x-request-nonce': 'random-string'
|
|
40
40
|
* }
|
|
41
41
|
* ```
|
|
42
42
|
*/
|
|
@@ -96,7 +96,7 @@ router.get("/private-data", multiAuth({
|
|
|
96
96
|
* 'x-levr-auth-type': 'hmac',
|
|
97
97
|
* 'Authorization': 'HMAC <api-key-id>:<signature>',
|
|
98
98
|
* 'x-request-timestamp': '1234567890',
|
|
99
|
-
* 'x-request-nonce': 'random-string'
|
|
99
|
+
* 'x-request-nonce': 'random-string'
|
|
100
100
|
* }
|
|
101
101
|
* ```
|
|
102
102
|
*
|
|
@@ -106,7 +106,7 @@ router.get("/private-data", multiAuth({
|
|
|
106
106
|
* 'x-levr-auth-type': 'serviceHmac',
|
|
107
107
|
* 'Authorization': 'HMAC <api-key-id>:<signature>',
|
|
108
108
|
* 'x-request-timestamp': '1234567890',
|
|
109
|
-
* 'x-request-nonce': 'random-string'
|
|
109
|
+
* 'x-request-nonce': 'random-string'
|
|
110
110
|
* }
|
|
111
111
|
* ```
|
|
112
112
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"multiAuth.middleware.js","sourceRoot":"","sources":["../../../src/server/middleware/multiAuth.middleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAoB,SAAS,EAAE,MAAM,YAAY,CAAA;
|
|
1
|
+
{"version":3,"file":"multiAuth.middleware.js","sourceRoot":"","sources":["../../../src/server/middleware/multiAuth.middleware.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,gBAAgB,EAAE,QAAQ,EAAoB,SAAS,EAAE,MAAM,YAAY,CAAA;AAEpF,OAAO,wBAAwB,CAAA;AAC/B,OAAO,EAAE,oBAAoB,EAAE,cAAc,EAAE,eAAe,EAAE,qBAAqB,EAAE,MAAM,QAAQ,CAAA;AAErG;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,MAAM,UAAU,SAAS,CAAC,OAAyB;IAC/C,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAiB,EAAE;QAC5E,MAAM,iBAAiB,GAAG,GAAG,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAA;QAEtD,oCAAoC;QACpC,IAAI,CAAC,iBAAiB,EAAE,CAAC;YACrB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACjB,KAAK,EAAE,WAAW,gBAAgB,SAAS;gBAC3C,gBAAgB,EAAE,OAAO,CAAC,OAAO;aACpC,CAAC,CAAA;YACF,OAAM;QACV,CAAC;QAED,4DAA4D;QAC5D,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,iBAA6B,CAAC,EAAE,CAAC;YAC3D,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACjB,KAAK,EAAE,4BAA4B,iBAAiB,EAAE;gBACtD,gBAAgB,EAAE,OAAO,CAAC,OAAO;aACpC,CAAC,CAAA;YACF,OAAM;QACV,CAAC;QAED,IAAI,MAAkB,CAAA;QAEtB,oCAAoC;QACpC,QAAQ,iBAAiB,EAAE,CAAC;YACxB,KAAK,QAAQ,CAAC,IAAI;gBACd,MAAM,GAAG,MAAM,cAAc,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;gBAC3C,MAAK;YAET,KAAK,QAAQ,CAAC,YAAY;gBACtB,MAAM,GAAG,MAAM,qBAAqB,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;gBAClD,MAAK;YAET,KAAK,QAAQ,CAAC,UAAU;gBACpB,MAAM,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE,SAAS,CAAC,IAAI,EAAE,QAAQ,CAAC,UAAU,CAAC,CAAA;gBACxE,MAAK;YAET,KAAK,QAAQ,CAAC,WAAW;gBACrB,MAAM,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE,SAAS,CAAC,KAAK,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAA;gBAC1E,MAAK;YAET,KAAK,QAAQ,CAAC,UAAU;gBACpB,MAAM,GAAG,MAAM,oBAAoB,CAAC,GAAG,CAAC,CAAA;gBACxC,MAAK;YAET;gBACI,MAAM,GAAG;oBACL,OAAO,EAAE,KAAK;oBACd,KAAK,EAAE,wBAAwB,iBAAiB,EAAE;oBAClD,UAAU,EAAE,GAAG;iBAClB,CAAA;QACT,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YAClB,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,UAAU,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAA;YAClE,OAAM;QACV,CAAC;QAED,IAAI,EAAE,CAAA;IACV,CAAC,CAAA;AACL,CAAC"}
|
|
@@ -4,15 +4,15 @@ interface SignRequestParams {
|
|
|
4
4
|
ts: number;
|
|
5
5
|
body: any;
|
|
6
6
|
nonce: string;
|
|
7
|
-
|
|
7
|
+
secretKey: string;
|
|
8
8
|
}
|
|
9
9
|
export declare const cryptoService: {
|
|
10
10
|
CMK_ID: string;
|
|
11
11
|
generateDataKey(): Promise<{
|
|
12
12
|
ciphertext: string;
|
|
13
|
-
|
|
13
|
+
secretKey: string;
|
|
14
14
|
}>;
|
|
15
|
-
signRequest({ method, path, ts, body, nonce,
|
|
16
|
-
|
|
15
|
+
signRequest({ method, path, ts, body, nonce, secretKey }: SignRequestParams): string;
|
|
16
|
+
getSecretKey(apiKeyId: string, ciphertextBase64: string): Promise<string>;
|
|
17
17
|
};
|
|
18
18
|
export {};
|
|
@@ -1,9 +1,8 @@
|
|
|
1
1
|
import { DecryptCommand, GenerateDataKeyCommand } from "@aws-sdk/client-kms";
|
|
2
2
|
import crypto from "crypto";
|
|
3
3
|
import _ from "lodash";
|
|
4
|
-
import { kmsClientManager } from "../config";
|
|
5
|
-
//
|
|
6
|
-
const keyCache = new Map();
|
|
4
|
+
import { kmsClientManager, redisClientManager } from "../config";
|
|
5
|
+
const CACHE_TTL = 5 * 60; // 5 minutes in seconds
|
|
7
6
|
export const cryptoService = {
|
|
8
7
|
CMK_ID: "b6050d0f-be5b-418c-9056-c53c1d982dec", // TODO: make per env
|
|
9
8
|
async generateDataKey() {
|
|
@@ -11,30 +10,36 @@ export const cryptoService = {
|
|
|
11
10
|
const gdk = await kmsClientManager.client.send(new GenerateDataKeyCommand({ KeyId: CMK_ID, KeySpec: "AES_256" }));
|
|
12
11
|
if (_.isNil(gdk.Plaintext) || _.isNil(gdk.CiphertextBlob))
|
|
13
12
|
throw new Error("Failed to generate data key");
|
|
14
|
-
const
|
|
13
|
+
const secretKey = Buffer.from(gdk.Plaintext).toString("base64");
|
|
15
14
|
const ciphertext = Buffer.from(gdk.CiphertextBlob).toString("base64");
|
|
16
|
-
return { ciphertext,
|
|
15
|
+
return { ciphertext, secretKey };
|
|
17
16
|
},
|
|
18
|
-
signRequest({ method, path, ts, body, nonce,
|
|
17
|
+
signRequest({ method, path, ts, body, nonce, secretKey }) {
|
|
19
18
|
const bodyString = body && Object.keys((body ?? {})).length > 0 ? JSON.stringify(body) : "";
|
|
20
19
|
const bodyHash = crypto.createHash("sha256").update(bodyString).digest("hex");
|
|
21
20
|
const toSign = `${method}\n${path ?? ""}\n${ts.toString()}\n${bodyHash}\n${nonce}`;
|
|
22
|
-
const h = crypto.createHmac("sha256",
|
|
21
|
+
const h = crypto.createHmac("sha256", secretKey);
|
|
23
22
|
h.update(toSign);
|
|
24
23
|
return h.digest("base64");
|
|
25
24
|
},
|
|
26
|
-
async
|
|
27
|
-
const
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
25
|
+
async getSecretKey(apiKeyId, ciphertextBase64) {
|
|
26
|
+
const cacheKey = `api_key_secret:${apiKeyId}`;
|
|
27
|
+
try {
|
|
28
|
+
const cached = await redisClientManager.primaryClient.get(cacheKey);
|
|
29
|
+
if (cached)
|
|
30
|
+
return cached;
|
|
31
|
+
const ciphertext = Buffer.from(ciphertextBase64, "base64");
|
|
32
|
+
const resp = await kmsClientManager.client.send(new DecryptCommand({ CiphertextBlob: ciphertext }));
|
|
33
|
+
if (!resp.Plaintext)
|
|
34
|
+
throw new Error("KMS Decrypt failed: No plaintext returned");
|
|
35
|
+
const secretKey = Buffer.from(resp.Plaintext).toString("base64");
|
|
36
|
+
await redisClientManager.primaryClient.setex(cacheKey, CACHE_TTL, secretKey);
|
|
37
|
+
return secretKey;
|
|
38
|
+
}
|
|
39
|
+
catch (err) {
|
|
40
|
+
console.error("Failed to get secret key:", err);
|
|
41
|
+
throw err;
|
|
42
|
+
}
|
|
38
43
|
},
|
|
39
44
|
};
|
|
40
45
|
//# sourceMappingURL=crypto.service.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"crypto.service.js","sourceRoot":"","sources":["../../../src/server/services/crypto.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAA;AAC5E,OAAO,MAAM,MAAM,QAAQ,CAAA;AAC3B,OAAO,CAAC,MAAM,QAAQ,CAAA;AACtB,OAAO,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAA;
|
|
1
|
+
{"version":3,"file":"crypto.service.js","sourceRoot":"","sources":["../../../src/server/services/crypto.service.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAA;AAC5E,OAAO,MAAM,MAAM,QAAQ,CAAA;AAC3B,OAAO,CAAC,MAAM,QAAQ,CAAA;AACtB,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,WAAW,CAAA;AAWhE,MAAM,SAAS,GAAG,CAAC,GAAG,EAAE,CAAA,CAAC,uBAAuB;AAEhD,MAAM,CAAC,MAAM,aAAa,GAAG;IACzB,MAAM,EAAE,sCAAsC,EAAE,qBAAqB;IACrE,KAAK,CAAC,eAAe;QACjB,MAAM,MAAM,GAAG,sCAAsC,CAAA;QAErD,MAAM,GAAG,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,sBAAsB,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,CAAC,CAAC,CAAA;QACjH,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAA;QAEzG,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;QAC/D,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;QAErE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,CAAA;IACpC,CAAC;IACD,WAAW,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAqB;QACvE,MAAM,UAAU,GAAG,IAAI,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,IAAI,EAAE,CAAW,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;QACrG,MAAM,QAAQ,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;QAC7E,MAAM,MAAM,GAAG,GAAG,MAAM,KAAK,IAAI,IAAI,EAAE,KAAK,EAAE,CAAC,QAAQ,EAAE,KAAK,QAAQ,KAAK,KAAK,EAAE,CAAA;QAClF,MAAM,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAA;QAChD,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;QAChB,OAAO,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IAC7B,CAAC;IACD,KAAK,CAAC,YAAY,CAAC,QAAgB,EAAE,gBAAwB;QACzD,MAAM,QAAQ,GAAG,kBAAkB,QAAQ,EAAE,CAAA;QAE7C,IAAI,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,kBAAkB,CAAC,aAAa,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;YACnE,IAAI,MAAM;gBAAE,OAAO,MAAM,CAAA;YAEzB,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,gBAAgB,EAAE,QAAQ,CAAC,CAAA;YAC1D,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,cAAc,CAAC,EAAE,cAAc,EAAE,UAAU,EAAE,CAAC,CAAC,CAAA;YACnG,IAAI,CAAC,IAAI,CAAC,SAAS;gBAAE,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAA;YAEjF,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;YAEhE,MAAM,kBAAkB,CAAC,aAAa,CAAC,KAAK,CAAC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,CAAA;YAE5E,OAAO,SAAS,CAAA;QACpB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACX,OAAO,CAAC,KAAK,CAAC,2BAA2B,EAAE,GAAG,CAAC,CAAA;YAC/C,MAAM,GAAG,CAAA;QACb,CAAC;IACL,CAAC;CACJ,CAAA"}
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
interface GenerateAuthHeadersParams {
|
|
2
|
+
apiKeyId: string;
|
|
3
|
+
secretKey: string;
|
|
4
|
+
method: string;
|
|
5
|
+
path: string;
|
|
6
|
+
body?: any;
|
|
7
|
+
nonce?: string;
|
|
8
|
+
isService?: boolean;
|
|
9
|
+
}
|
|
10
|
+
interface HmacAuthHeaders {
|
|
11
|
+
"x-levr-auth-type": string;
|
|
12
|
+
Authorization: string;
|
|
13
|
+
"x-request-timestamp": string;
|
|
14
|
+
"x-request-nonce": string;
|
|
15
|
+
}
|
|
16
|
+
declare class HmacService {
|
|
17
|
+
/**
|
|
18
|
+
* Generates HMAC authentication headers for making authenticated requests
|
|
19
|
+
*/
|
|
20
|
+
generateAuthHeaders({ apiKeyId, secretKey, method, path, body, nonce, isService, }: GenerateAuthHeadersParams): HmacAuthHeaders;
|
|
21
|
+
/**
|
|
22
|
+
* Generates service-to-service HMAC authentication headers
|
|
23
|
+
*/
|
|
24
|
+
generateServiceAuthHeaders(params: Omit<GenerateAuthHeadersParams, "isService">): HmacAuthHeaders;
|
|
25
|
+
}
|
|
26
|
+
export declare const hmacService: HmacService;
|
|
27
|
+
export {};
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
import crypto from "crypto";
|
|
2
|
+
import { LevrAuth } from "../../core";
|
|
3
|
+
import { cryptoService } from "./crypto.service";
|
|
4
|
+
class HmacService {
|
|
5
|
+
/**
|
|
6
|
+
* Generates HMAC authentication headers for making authenticated requests
|
|
7
|
+
*/
|
|
8
|
+
generateAuthHeaders({ apiKeyId, secretKey, method, path, body, nonce, isService = false, }) {
|
|
9
|
+
const ts = Date.now();
|
|
10
|
+
const actualNonce = nonce || crypto.randomBytes(16).toString("hex");
|
|
11
|
+
// Generate signature using the crypto service
|
|
12
|
+
const signature = cryptoService.signRequest({
|
|
13
|
+
method: method.toUpperCase(),
|
|
14
|
+
path,
|
|
15
|
+
ts,
|
|
16
|
+
body,
|
|
17
|
+
nonce: actualNonce,
|
|
18
|
+
secretKey,
|
|
19
|
+
});
|
|
20
|
+
const headers = {
|
|
21
|
+
"x-levr-auth-type": isService ? LevrAuth.SERVICE_HMAC : LevrAuth.HMAC,
|
|
22
|
+
Authorization: `HMAC ${apiKeyId}:${signature}`,
|
|
23
|
+
"x-request-timestamp": ts.toString(),
|
|
24
|
+
"x-request-nonce": actualNonce,
|
|
25
|
+
};
|
|
26
|
+
return headers;
|
|
27
|
+
}
|
|
28
|
+
/**
|
|
29
|
+
* Generates service-to-service HMAC authentication headers
|
|
30
|
+
*/
|
|
31
|
+
generateServiceAuthHeaders(params) {
|
|
32
|
+
return this.generateAuthHeaders({ ...params, isService: true });
|
|
33
|
+
}
|
|
34
|
+
}
|
|
35
|
+
export const hmacService = new HmacService();
|
|
36
|
+
//# sourceMappingURL=hmac.service.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"hmac.service.js","sourceRoot":"","sources":["../../../src/server/services/hmac.service.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,QAAQ,CAAA;AAC3B,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAA;AACrC,OAAO,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAA;AAmBhD,MAAM,WAAW;IACb;;OAEG;IACH,mBAAmB,CAAC,EAChB,QAAQ,EACR,SAAS,EACT,MAAM,EACN,IAAI,EACJ,IAAI,EACJ,KAAK,EACL,SAAS,GAAG,KAAK,GACO;QACxB,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;QACrB,MAAM,WAAW,GAAG,KAAK,IAAI,MAAM,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;QAEnE,8CAA8C;QAC9C,MAAM,SAAS,GAAG,aAAa,CAAC,WAAW,CAAC;YACxC,MAAM,EAAE,MAAM,CAAC,WAAW,EAAE;YAC5B,IAAI;YACJ,EAAE;YACF,IAAI;YACJ,KAAK,EAAE,WAAW;YAClB,SAAS;SACZ,CAAC,CAAA;QAEF,MAAM,OAAO,GAAoB;YAC7B,kBAAkB,EAAE,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI;YACrE,aAAa,EAAE,QAAQ,QAAQ,IAAI,SAAS,EAAE;YAC9C,qBAAqB,EAAE,EAAE,CAAC,QAAQ,EAAE;YACpC,iBAAiB,EAAE,WAAW;SACjC,CAAA;QAED,OAAO,OAAO,CAAA;IAClB,CAAC;IAED;;OAEG;IACH,0BAA0B,CAAC,MAAoD;QAC3E,OAAO,IAAI,CAAC,mBAAmB,CAAC,EAAE,GAAG,MAAM,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAA;IACnE,CAAC;CACJ;AAED,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAA"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/services/index.ts"],"names":[],"mappings":"AAAA,cAAc,sBAAsB,CAAA;AACpC,cAAc,kBAAkB,CAAA;AAChC,cAAc,iBAAiB,CAAA"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/services/index.ts"],"names":[],"mappings":"AAAA,cAAc,sBAAsB,CAAA;AACpC,cAAc,kBAAkB,CAAA;AAChC,cAAc,gBAAgB,CAAA;AAC9B,cAAc,iBAAiB,CAAA"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"auth.types.js","sourceRoot":"","sources":["../../../src/server/types/auth.types.ts"],"names":[],"mappings":""}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/types/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAA"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/server/types/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAA;AAC5B,cAAc,iBAAiB,CAAA"}
|