add SHA-256 to TokenStrategy

Author: Eric Lambrecht

lib/passport-http-oauth/strategies/token.js

@@ -226,13 +226,24 @@ TokenStrategy.prototype.authenticate = function(req) {
         if (signature !== computedSignature) {
           return self.fail(self._challenge('signature_invalid'));
         }
+
+      } else if (signatureMethod == 'HMAC-SHA256') {
+        var key = utils.encode(consumerSecret) + '&';
+        if (tokenSecret) { key += utils.encode(tokenSecret); }
+        var computedSignature = utils.hmacsha256(key, base);
+
+        if (signature !== computedSignature) {
+          return self.fail(self._challenge('signature_invalid'));
+        }
+
       } else if (signatureMethod == 'PLAINTEXT') {
         var computedSignature = utils.plaintext(consumerSecret, tokenSecret);
 
         if (signature !== computedSignature) {
           return self.fail(self._challenge('signature_invalid'));
         }
-      } else{
+
+      } else {
         return self.fail(self._challenge('signature_method_rejected'), 400);
       }
 

test/strategies/token-test.js

@@ -335,7 +335,72 @@ vows.describe('TokenStrategy').addBatch({
       },
     },
   },
-  
+
+  'strategy handling a valid request with credentials in header using HMAC-SHA256 signature': {
+    topic: function() {
+      var strategy = new TokenStrategy(
+        // consumer callback
+        function(consumerKey, done) {
+          if (consumerKey == '1234') {
+            done(null, { id: '1' }, 'keep-this-secret');
+          } else {
+            done(new Error('something is wrong'))
+          }
+        },
+        // verify callback
+        function(accessToken, done) {
+          if (accessToken == 'abc-123-xyz-789') {
+            done(null, { username: 'bob' }, 'lips-zipped');
+          } else {
+            done(new Error('something is wrong'))
+          }
+        }
+      );
+      return strategy;
+    },
+    
+    'after augmenting with actions': {
+      topic: function(strategy) {
+        var self = this;
+        var req = {};
+        strategy.success = function(user, info) {
+          self.callback(null, user, info);
+        }
+        strategy.fail = function(challenge, status) {
+          self.callback(new Error('should not be called'));
+        }
+        strategy.error = function(err) {
+          self.callback(new Error('should not be called'));
+        }
+        
+        req.url = '/1/users/show.json?screen_name=jaredhanson&user_id=1705';
+        req.method = 'GET';
+        req.headers = {};
+        req.headers['host'] = '127.0.0.1:3000';
+        req.headers['authorization'] = 'OAuth oauth_consumer_key="1234",oauth_nonce="A7E738D9A9684A60A40607017735ADAD",oauth_signature_method="HMAC-SHA256",oauth_timestamp="1339004912",oauth_token="abc-123-xyz-789",oauth_version="1.0",oauth_signature="IYG4DLnSdclIVr6rnq49cEjD7AaGqFiUGobOUAjDcpQ="';
+        req.query = url.parse(req.url, true).query;
+        req.connection = { encrypted: false };
+        process.nextTick(function () {
+          strategy.authenticate(req);
+        });
+      },
+      
+      'should not generate an error' : function(err, user, info) {
+        assert.isNull(err);
+      },
+      'should authenticate' : function(err, user, info) {
+        assert.equal(user.username, 'bob');
+      },
+      'should set scheme to OAuth' : function(err, user, info) {
+        assert.equal(info.scheme, 'OAuth');
+      },
+      'should set consumer' : function(err, user, info) {
+        assert.equal(info.consumer.id, '1');
+        assert.strictEqual(info.client, info.consumer);
+      },
+    },
+  },
+
   'strategy handling a valid request with credentials in header with all-caps scheme': {
     topic: function() {
       var strategy = new TokenStrategy(
@@ -797,7 +862,60 @@ vows.describe('TokenStrategy').addBatch({
       },
     },
   },
-  
+
+  'strategy handling a request with invalid HMAC-SHA256 signature': {
+    topic: function() {
+      var strategy = new TokenStrategy(
+        // consumer callback
+        function(consumerKey, done) {
+          done(null, { id: '1' }, 'keep-this-secret');
+        },
+        // verify callback
+        function(accessToken, done) {
+          done(null, { username: 'bob' }, 'lips-not-zipped');
+        }
+      );
+      return strategy;
+    },
+    
+    'after augmenting with actions': {
+      topic: function(strategy) {
+        var self = this;
+        var req = {};
+        strategy.success = function(user, info) {
+          self.callback(new Error('should not be called'));
+        }
+        strategy.fail = function(challenge, status) {
+          self.callback(null, challenge, status);
+        }
+        strategy.error = function(err) {
+          self.callback(new Error('should not be called'));
+        }
+        
+        req.url = '/1/users/show.json?screen_name=jaredhanson&user_id=1705';
+        req.method = 'GET';
+        req.headers = {};
+        req.headers['host'] = '127.0.0.1:3000';
+        req.headers['authorization'] = 'OAuth oauth_consumer_key="1234",oauth_nonce="A7E738D9A9684A60A40607017735ADAD",oauth_signature_method="HMAC-SHA256",oauth_timestamp="1339004912",oauth_token="abc-123-xyz-789",oauth_version="1.0",oauth_signature="TBrJJJWS896yWrbklSbhEd9MGQc%3D"';
+        req.query = url.parse(req.url, true).query;
+        req.connection = { encrypted: false };
+        process.nextTick(function () {
+          strategy.authenticate(req);
+        });
+      },
+      
+      'should not generate an error' : function(err, challenge, status) {
+        assert.isNull(err);
+      },
+      'should respond with challenge' : function(err, challenge, status) {
+        assert.equal(challenge, 'OAuth realm="Users", oauth_problem="signature_invalid"');
+      },
+      'should respond with default status' : function(err, challenge, status) {
+        assert.isUndefined(status);
+      },
+    },
+  },
+
   'strategy handling a request with unknown signature method': {
     topic: function() {
       var strategy = new TokenStrategy(