max-nestjs 0.0.2 → 0.0.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/max-auth.guard.d.ts +1 -0
- package/dist/max-auth.guard.js +65 -88
- package/dist/max-auth.guard.js.map +1 -1
- package/package.json +3 -2
package/dist/max-auth.guard.d.ts
CHANGED
package/dist/max-auth.guard.js
CHANGED
|
@@ -15,47 +15,80 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
15
15
|
exports.MaxAuthGuard = void 0;
|
|
16
16
|
const common_1 = require("@nestjs/common");
|
|
17
17
|
const max_constants_1 = require("./max.constants");
|
|
18
|
-
const common_2 = require("@nestjs/common");
|
|
19
18
|
const crypto_1 = require("crypto");
|
|
20
19
|
const max_constants_2 = require("./max.constants");
|
|
20
|
+
const utils_nodejs_1 = require("@companix/utils-nodejs");
|
|
21
21
|
let MaxAuthGuard = class MaxAuthGuard {
|
|
22
22
|
constructor(options) {
|
|
23
23
|
this.options = options;
|
|
24
24
|
}
|
|
25
25
|
canActivate(context) {
|
|
26
26
|
const request = context.switchToHttp().getRequest();
|
|
27
|
-
const
|
|
28
|
-
if (typeof
|
|
27
|
+
const rawInitData = request.headers[this.options.headerName];
|
|
28
|
+
if (!rawInitData || typeof rawInitData !== 'string') {
|
|
29
29
|
throw new common_1.UnauthorizedException('MAX init data is missing');
|
|
30
30
|
}
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
31
|
+
try {
|
|
32
|
+
const { initData, entities } = this.parseInitData(rawInitData);
|
|
33
|
+
if (!this.validateInitData(entities, initData.hash)) {
|
|
34
|
+
throw new common_1.UnauthorizedException('Invalid MAX init data signature');
|
|
35
|
+
}
|
|
36
|
+
request.maxInitData = initData;
|
|
37
|
+
request.maxUser = initData.user;
|
|
38
|
+
return true;
|
|
39
|
+
}
|
|
40
|
+
catch (error) {
|
|
41
|
+
if (error instanceof common_1.HttpException) {
|
|
42
|
+
throw error;
|
|
43
|
+
}
|
|
44
|
+
throw new common_1.UnauthorizedException('Failed to validate Max init data');
|
|
45
|
+
}
|
|
35
46
|
}
|
|
36
|
-
validateInitData(
|
|
37
|
-
const
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
const launchParams = params
|
|
42
|
-
.filter((param) => param.key !== 'hash')
|
|
43
|
-
.sort((left, right) => left.key.localeCompare(right.key))
|
|
44
|
-
.map((param) => `${param.key}=${param.value}`)
|
|
47
|
+
validateInitData(entities, hash) {
|
|
48
|
+
const dataCheckString = entities
|
|
49
|
+
.filter(([key]) => key !== 'hash')
|
|
50
|
+
.sort(([leftKey], [rightKey]) => leftKey.localeCompare(rightKey))
|
|
51
|
+
.map(([key, value]) => `${key}=${value}`)
|
|
45
52
|
.join('\n');
|
|
46
53
|
const secretKey = (0, crypto_1.createHmac)('sha256', max_constants_2.MAX_WEB_APP_DATA_KEY).update(this.options.botToken).digest();
|
|
47
|
-
const calculatedHash = (0, crypto_1.createHmac)('sha256', secretKey).update(
|
|
48
|
-
|
|
49
|
-
|
|
54
|
+
const calculatedHash = (0, crypto_1.createHmac)('sha256', secretKey).update(dataCheckString).digest('hex');
|
|
55
|
+
return (0, utils_nodejs_1.safeEqual)(calculatedHash, hash);
|
|
56
|
+
}
|
|
57
|
+
parseInitData(rawInitData) {
|
|
58
|
+
const params = new URLSearchParams(rawInitData);
|
|
59
|
+
const entities = Array.from(params.entries());
|
|
60
|
+
const initData = {};
|
|
61
|
+
for (const [key, value] of entities) {
|
|
62
|
+
switch (key) {
|
|
63
|
+
case 'auth_date':
|
|
64
|
+
initData.auth_date = parseRequiredInteger(key, value);
|
|
65
|
+
break;
|
|
66
|
+
case 'hash':
|
|
67
|
+
initData.hash = value;
|
|
68
|
+
break;
|
|
69
|
+
case 'ip':
|
|
70
|
+
initData.ip = value;
|
|
71
|
+
break;
|
|
72
|
+
case 'query_id':
|
|
73
|
+
initData.query_id = value;
|
|
74
|
+
break;
|
|
75
|
+
case 'start_param':
|
|
76
|
+
initData.start_param = value;
|
|
77
|
+
break;
|
|
78
|
+
case 'chat':
|
|
79
|
+
initData.chat = parseJsonValue(key, value);
|
|
80
|
+
break;
|
|
81
|
+
case 'user':
|
|
82
|
+
initData.user = parseJsonValue(key, value);
|
|
83
|
+
break;
|
|
84
|
+
}
|
|
85
|
+
}
|
|
86
|
+
if (!initData.hash || !initData.auth_date || !initData.user) {
|
|
87
|
+
throw new common_1.BadRequestException('Invalid init data format');
|
|
50
88
|
}
|
|
51
89
|
return {
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
ip: getOptionalParam(params, 'ip'),
|
|
55
|
-
query_id: getOptionalParam(params, 'query_id'),
|
|
56
|
-
start_param: getOptionalParam(params, 'start_param'),
|
|
57
|
-
chat: parseOptionalJsonParam(params, 'chat'),
|
|
58
|
-
user: parseJsonValue(userParam.key, userParam.value)
|
|
90
|
+
entities,
|
|
91
|
+
initData: initData
|
|
59
92
|
};
|
|
60
93
|
}
|
|
61
94
|
};
|
|
@@ -65,75 +98,19 @@ exports.MaxAuthGuard = MaxAuthGuard = __decorate([
|
|
|
65
98
|
__param(0, (0, common_1.Inject)(max_constants_1.MAX_OPTIONS_SYMBOL)),
|
|
66
99
|
__metadata("design:paramtypes", [Object])
|
|
67
100
|
], MaxAuthGuard);
|
|
68
|
-
const
|
|
69
|
-
const
|
|
70
|
-
if (!
|
|
71
|
-
throw new
|
|
72
|
-
}
|
|
73
|
-
const params = parts.map(parseRawParam);
|
|
74
|
-
const occurrences = new Map();
|
|
75
|
-
for (const param of params) {
|
|
76
|
-
occurrences.set(param.key, (occurrences.get(param.key) ?? 0) + 1);
|
|
101
|
+
const parseRequiredInteger = (key, value) => {
|
|
102
|
+
const parsed = Number.parseInt(value, 10);
|
|
103
|
+
if (!Number.isFinite(parsed)) {
|
|
104
|
+
throw new common_1.BadRequestException(`Invalid MAX init data numeric value for "${key}"`);
|
|
77
105
|
}
|
|
78
|
-
|
|
79
|
-
if (count !== 1) {
|
|
80
|
-
throw new common_2.BadRequestException(`MAX init data contains duplicate parameter "${key}"`);
|
|
81
|
-
}
|
|
82
|
-
}
|
|
83
|
-
return params;
|
|
84
|
-
};
|
|
85
|
-
const parseRawParam = (rawParam) => {
|
|
86
|
-
const separatorIndex = rawParam.indexOf('=');
|
|
87
|
-
if (separatorIndex <= 0) {
|
|
88
|
-
throw new common_2.BadRequestException('Invalid MAX init data parameter');
|
|
89
|
-
}
|
|
90
|
-
const key = rawParam.slice(0, separatorIndex);
|
|
91
|
-
const encodedValue = rawParam.slice(separatorIndex + 1);
|
|
92
|
-
return {
|
|
93
|
-
key,
|
|
94
|
-
value: decodeValue(encodedValue)
|
|
95
|
-
};
|
|
96
|
-
};
|
|
97
|
-
const decodeValue = (value) => {
|
|
98
|
-
try {
|
|
99
|
-
return decodeURIComponent(value);
|
|
100
|
-
}
|
|
101
|
-
catch {
|
|
102
|
-
throw new common_2.BadRequestException('Failed to decode MAX init data parameter');
|
|
103
|
-
}
|
|
104
|
-
};
|
|
105
|
-
const getRequiredUniqueParam = (params, key) => {
|
|
106
|
-
const matches = params.filter((param) => param.key === key);
|
|
107
|
-
if (matches.length !== 1) {
|
|
108
|
-
throw new common_2.BadRequestException(`MAX init data must contain exactly one "${key}" parameter`);
|
|
109
|
-
}
|
|
110
|
-
return matches[0];
|
|
111
|
-
};
|
|
112
|
-
const getOptionalParam = (params, key) => {
|
|
113
|
-
const match = params.find((param) => param.key === key);
|
|
114
|
-
return match?.value;
|
|
115
|
-
};
|
|
116
|
-
const parseOptionalJsonParam = (params, key) => {
|
|
117
|
-
const value = getOptionalParam(params, key);
|
|
118
|
-
if (value === undefined) {
|
|
119
|
-
return undefined;
|
|
120
|
-
}
|
|
121
|
-
return parseJsonValue(key, value);
|
|
106
|
+
return parsed;
|
|
122
107
|
};
|
|
123
108
|
const parseJsonValue = (key, value) => {
|
|
124
109
|
try {
|
|
125
110
|
return JSON.parse(value);
|
|
126
111
|
}
|
|
127
112
|
catch {
|
|
128
|
-
throw new
|
|
129
|
-
}
|
|
130
|
-
};
|
|
131
|
-
const safeEqual = (left, right) => {
|
|
132
|
-
const leftBuffer = Buffer.from(left, 'utf8');
|
|
133
|
-
const rightBuffer = Buffer.from(right, 'utf8');
|
|
134
|
-
if (leftBuffer.length !== rightBuffer.length) {
|
|
135
|
-
return false;
|
|
113
|
+
throw new common_1.BadRequestException(`Invalid MAX init data JSON value for "${key}"`);
|
|
136
114
|
}
|
|
137
|
-
return (0, crypto_1.timingSafeEqual)(leftBuffer, rightBuffer);
|
|
138
115
|
};
|
|
139
116
|
//# sourceMappingURL=max-auth.guard.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"max-auth.guard.js","sourceRoot":"","sources":["../src/max-auth.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,
|
|
1
|
+
{"version":3,"file":"max-auth.guard.js","sourceRoot":"","sources":["../src/max-auth.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,2CAQuB;AACvB,mDAAoD;AAGpD,mCAAmC;AACnC,mDAAsD;AAEtD,yDAAkD;AAG3C,IAAM,YAAY,GAAlB,MAAM,YAAY;IACvB,YAEmB,OAAiC;QAAjC,YAAO,GAAP,OAAO,CAA0B;IACjD,CAAC;IAEG,WAAW,CAAC,OAAyB;QAC1C,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAc,CAAA;QAC/D,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;QAE5D,IAAI,CAAC,WAAW,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;YACpD,MAAM,IAAI,8BAAqB,CAAC,0BAA0B,CAAC,CAAA;QAC7D,CAAC;QAED,IAAI,CAAC;YACH,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,GAAG,IAAI,CAAC,aAAa,CAAC,WAAW,CAAC,CAAA;YAE9D,IAAI,CAAC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBACpD,MAAM,IAAI,8BAAqB,CAAC,iCAAiC,CAAC,CAAA;YACpE,CAAC;YAED,OAAO,CAAC,WAAW,GAAG,QAAQ,CAAA;YAC9B,OAAO,CAAC,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAA;YAE/B,OAAO,IAAI,CAAA;QACb,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,KAAK,YAAY,sBAAa,EAAE,CAAC;gBACnC,MAAM,KAAK,CAAA;YACb,CAAC;YAED,MAAM,IAAI,8BAAqB,CAAC,kCAAkC,CAAC,CAAA;QACrE,CAAC;IACH,CAAC;IAEO,gBAAgB,CAAC,QAA4B,EAAE,IAAY;QACjE,MAAM,eAAe,GAAG,QAAQ;aAC7B,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,MAAM,CAAC;aACjC,IAAI,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;aAChE,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC;aACxC,IAAI,CAAC,IAAI,CAAC,CAAA;QAEb,MAAM,SAAS,GAAG,IAAA,mBAAU,EAAC,QAAQ,EAAE,oCAAoB,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,CAAA;QACnG,MAAM,cAAc,GAAG,IAAA,mBAAU,EAAC,QAAQ,EAAE,SAAS,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;QAE5F,OAAO,IAAA,wBAAS,EAAC,cAAc,EAAE,IAAI,CAAC,CAAA;IACxC,CAAC;IAEO,aAAa,CAAC,WAAmB;QACvC,MAAM,MAAM,GAAG,IAAI,eAAe,CAAC,WAAW,CAAC,CAAA;QAC/C,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAA;QAC7C,MAAM,QAAQ,GAAyB,EAAE,CAAA;QAEzC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,QAAQ,EAAE,CAAC;YACpC,QAAQ,GAAG,EAAE,CAAC;gBACZ,KAAK,WAAW;oBACd,QAAQ,CAAC,SAAS,GAAG,oBAAoB,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;oBACrD,MAAK;gBACP,KAAK,MAAM;oBACT,QAAQ,CAAC,IAAI,GAAG,KAAK,CAAA;oBACrB,MAAK;gBACP,KAAK,IAAI;oBACP,QAAQ,CAAC,EAAE,GAAG,KAAK,CAAA;oBACnB,MAAK;gBACP,KAAK,UAAU;oBACb,QAAQ,CAAC,QAAQ,GAAG,KAAK,CAAA;oBACzB,MAAK;gBACP,KAAK,aAAa;oBAChB,QAAQ,CAAC,WAAW,GAAG,KAAK,CAAA;oBAC5B,MAAK;gBACP,KAAK,MAAM;oBACT,QAAQ,CAAC,IAAI,GAAG,cAAc,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;oBAC1C,MAAK;gBACP,KAAK,MAAM;oBACT,QAAQ,CAAC,IAAI,GAAG,cAAc,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;oBAC1C,MAAK;YACT,CAAC;QACH,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,SAAS,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YAC5D,MAAM,IAAI,4BAAmB,CAAC,0BAA0B,CAAC,CAAA;QAC3D,CAAC;QAED,OAAO;YACL,QAAQ;YACR,QAAQ,EAAE,QAAuB;SAClC,CAAA;IACH,CAAC;CACF,CAAA;AAvFY,oCAAY;uBAAZ,YAAY;IADxB,IAAA,mBAAU,GAAE;IAGR,WAAA,IAAA,eAAM,EAAC,kCAAkB,CAAC,CAAA;;GAFlB,YAAY,CAuFxB;AAED,MAAM,oBAAoB,GAAG,CAAC,GAAW,EAAE,KAAa,EAAU,EAAE;IAClE,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;IAEzC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,4BAAmB,CAAC,4CAA4C,GAAG,GAAG,CAAC,CAAA;IACnF,CAAC;IAED,OAAO,MAAM,CAAA;AACf,CAAC,CAAA;AAED,MAAM,cAAc,GAAG,CAAI,GAAW,EAAE,KAAa,EAAK,EAAE;IAC1D,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAM,CAAA;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,4BAAmB,CAAC,yCAAyC,GAAG,GAAG,CAAC,CAAA;IAChF,CAAC;AACH,CAAC,CAAA"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "max-nestjs",
|
|
3
|
-
"version": "0.0.
|
|
3
|
+
"version": "0.0.4",
|
|
4
4
|
"description": "NestJS helpers for validating MAX Mini App init data.",
|
|
5
5
|
"files": [
|
|
6
6
|
"dist",
|
|
@@ -22,7 +22,8 @@
|
|
|
22
22
|
"build": "rm -rf dist && tsc -p tsconfig.json"
|
|
23
23
|
},
|
|
24
24
|
"dependencies": {
|
|
25
|
-
"max-bridge": "*"
|
|
25
|
+
"max-bridge": "*",
|
|
26
|
+
"@companix/utils-nodejs": "*"
|
|
26
27
|
},
|
|
27
28
|
"devDependencies": {
|
|
28
29
|
"@nestjs/common": "^11.1.17",
|