Merge pull request #5 from eml/sha-256

add SHA-256 support

Author: jaredhanson

lib/passport-http-oauth/strategies/consumer.js

@@ -293,6 +293,15 @@ ConsumerStrategy.prototype.authenticate = function(req) {
         if (tokenSecret) { key += utils.encode(tokenSecret); }
         var computedSignature = utils.hmacsha1(key, base);
 
+        if (signature !== computedSignature) {
+          return self.fail(self._challenge('signature_invalid'));
+        }
+
+      } else if (signatureMethod === 'HMAC-SHA256') {
+        var key = consumerSecret + '&';
+        if (tokenSecret) { key += tokenSecret; }
+        var computedSignature = utils.hmacsha256(key, base);
+
         if (signature !== computedSignature) {
           return self.fail(self._challenge('signature_invalid'));
         }

lib/passport-http-oauth/strategies/token.js

@@ -226,13 +226,24 @@ TokenStrategy.prototype.authenticate = function(req) {
         if (signature !== computedSignature) {
           return self.fail(self._challenge('signature_invalid'));
         }
+
+      } else if (signatureMethod == 'HMAC-SHA256') {
+        var key = utils.encode(consumerSecret) + '&';
+        if (tokenSecret) { key += utils.encode(tokenSecret); }
+        var computedSignature = utils.hmacsha256(key, base);
+
+        if (signature !== computedSignature) {
+          return self.fail(self._challenge('signature_invalid'));
+        }
+
       } else if (signatureMethod == 'PLAINTEXT') {
         var computedSignature = utils.plaintext(consumerSecret, tokenSecret);
 
         if (signature !== computedSignature) {
           return self.fail(self._challenge('signature_invalid'));
         }
-      } else{
+
+      } else {
         return self.fail(self._challenge('signature_method_rejected'), 400);
       }
 

lib/passport-http-oauth/strategies/utils.js

@@ -185,6 +185,18 @@ exports.hmacsha1 = function(key, text) {
   return crypto.createHmac('sha1', key).update(text).digest('base64')
 }
 
+/**
+ * Generate HMAC-SHA256 signature.
+ *
+ * @param {String} key
+ * @param {String} text
+ * @return {String}
+ * @api private
+ */
+exports.hmacsha256 = function(key, text) {
+  return crypto.createHmac('sha256', key).update(text).digest('base64')
+}
+
 /**
  * Generate PLAINTEXT signature.
  *

test/strategies/consumer-test.js

@@ -314,7 +314,67 @@ vows.describe('ConsumerStrategy').addBatch({
       },
     },
   },
-  
+
+  'strategy handling a valid request without a request token using HMAC-256 signature': {
+    topic: function() {
+      var strategy = new ConsumerStrategy(
+        // consumer callback
+        function(consumerKey, done) {
+          if (consumerKey == 'abc123') {
+            done(null, { id: '1' }, 'ssh-secret');
+          } else {
+            done(new Error('something is wrong'))
+          }
+        },
+        // token callback
+        function(requestToken, done) {
+          done(new Error('token callback should not be called'));
+        }
+      );
+      return strategy;
+    },
+    
+    'after augmenting with actions': {
+      topic: function(strategy) {
+        var self = this;
+        var req = {};
+        strategy.success = function(user, info) {
+          self.callback(null, user, info);
+        }
+        strategy.fail = function(challenge, status) {
+          self.callback(new Error('should not be called'));
+        }
+        strategy.error = function(err) {
+          self.callback(new Error('should not be called'));
+        }
+        
+        req.url = '/oauth/request_token';
+        req.method = 'POST';
+        req.headers = {};
+        req.headers['host'] = '127.0.0.1:3000';
+        req.headers['authorization'] = 'OAuth oauth_callback="http%3A%2F%2Fmacbook-air.local.jaredhanson.net%3A3001%2Foauth%2Fcallback",oauth_consumer_key="abc123",oauth_nonce="fNyKdt8ZTgTVdEABtUMFzcXRxF4a230q",oauth_signature_method="HMAC-SHA256",oauth_timestamp="1341176111",oauth_version="1.0",oauth_signature="qlKeUBu8wDmP/L24e4SErAoSmyomhyHgiL9J3xnX9Xk="';
+        req.query = url.parse(req.url, true).query;
+        req.connection = { encrypted: false };
+        process.nextTick(function () {
+          strategy.authenticate(req);
+        });
+      },
+      
+      'should not generate an error' : function(err, user, info) {
+        assert.isNull(err);
+      },
+      'should authenticate' : function(err, user, info) {
+        assert.equal(user.id, '1');
+      },
+      'should set scheme to OAuth' : function(err, user, info) {
+        assert.equal(info.scheme, 'OAuth');
+      },
+      'should set callbackURL' : function(err, user, info) {
+        assert.equal(info.oauth.callbackURL, 'http://macbook-air.local.jaredhanson.net:3001/oauth/callback');
+      },
+    },
+  },
+
   'strategy handling a valid request without a request token placing credentials in header with all-caps scheme': {
     topic: function() {
       var strategy = new ConsumerStrategy(
@@ -654,6 +714,59 @@ vows.describe('ConsumerStrategy').addBatch({
       },
     },
   },
+
+  'strategy handling a valid request without a request token using HMAC-SHA256 signature where consumer secret is wrong': {
+    topic: function() {
+      var strategy = new ConsumerStrategy(
+        // consumer callback
+        function(consumerKey, done) {
+          done(null, { id: '1' }, 'ssh-secret-wrong');
+        },
+        // token callback
+        function(requestToken, done) {
+          done(new Error('token callback should not be called'));
+        }
+      );
+      return strategy;
+    },
+    
+    'after augmenting with actions': {
+      topic: function(strategy) {
+        var self = this;
+        var req = {};
+        strategy.success = function(user, info) {
+          self.callback(new Error('should not be called'));
+        }
+        strategy.fail = function(challenge, status) {
+          self.callback(null, challenge, status);
+        }
+        strategy.error = function(err) {
+          self.callback(new Error('should not be called'));
+        }
+        
+        req.url = '/oauth/request_token';
+        req.method = 'POST';
+        req.headers = {};
+        req.headers['host'] = '127.0.0.1:3000';
+        req.headers['authorization'] = 'OAuth oauth_callback="http%3A%2F%2Fmacbook-air.local.jaredhanson.net%3A3001%2Foauth%2Fcallback",oauth_consumer_key="abc123",oauth_nonce="fNyKdt8ZTgTVdEABtUMFzcXRxF4a230q",oauth_signature_method="HMAC-SHA256",oauth_timestamp="1341176111",oauth_version="1.0",oauth_signature="ignored"';
+        req.query = url.parse(req.url, true).query;
+        req.connection = { encrypted: false };
+        process.nextTick(function () {
+          strategy.authenticate(req);
+        });
+      },
+      
+      'should not generate an error' : function(err, challenge, status) {
+        assert.isNull(err);
+      },
+      'should respond with challenge' : function(err, challenge, status) {
+        assert.equal(challenge, 'OAuth realm="Clients", oauth_problem="signature_invalid"');
+      },
+      'should respond with default status' : function(err, challenge, status) {
+        assert.isUndefined(status);
+      },
+    },
+  },
 
   'strategy handling a valid request without a request token using unkown signature method': {
     topic: function() {
@@ -1003,7 +1116,72 @@ vows.describe('ConsumerStrategy').addBatch({
       },
     },
   },
-  
+
+  'strategy handling a valid request with a request token using HMAC-SHA256 signature': {
+    topic: function() {
+      var strategy = new ConsumerStrategy(
+        // consumer callback
+        function(consumerKey, done) {
+          if (consumerKey == 'abc123') {
+            done(null, { id: '1' }, 'ssh-secret');
+          } else {
+            done(new Error('something is wrong'))
+          }
+        },
+        // token callback
+        function(requestToken, done) {
+          if (requestToken == 'wM9YRRm5') {
+            done(null, 'rxt0E5hKbslOEtzxD43hclL28XBZLJsF');
+          } else {
+            done(new Error('something is wrong'))
+          }
+        }
+      );
+      return strategy;
+    },
+    
+    'after augmenting with actions': {
+      topic: function(strategy) {
+        var self = this;
+        var req = {};
+        strategy.success = function(user, info) {
+          self.callback(null, user, info);
+        }
+        strategy.fail = function(challenge, status) {
+          self.callback(new Error('should not be called'));
+        }
+        strategy.error = function(err) {
+          self.callback(new Error('should not be called'));
+        }
+        
+        req.url = '/oauth/access_token';
+        req.method = 'POST';
+        req.headers = {};
+        req.headers['host'] = '127.0.0.1:3000';
+        req.headers['authorization'] = 'OAuth oauth_consumer_key="abc123",oauth_nonce="KyEf2M5ptWGDcz04jMScA2iJHkXHzkUW",oauth_signature_method="HMAC-SHA256",oauth_timestamp="1341178687",oauth_token="wM9YRRm5",oauth_verifier="qriPjOnc",oauth_version="1.0",oauth_signature="06Kn8VWWkoLLz2yKbtc1j8hVXjFMlORwVMedb5S3otE="';
+        req.query = url.parse(req.url, true).query;
+        req.connection = { encrypted: false };
+        process.nextTick(function () {
+          strategy.authenticate(req);
+        });
+      },
+      
+      'should not generate an error' : function(err, user, info) {
+        assert.isNull(err);
+      },
+      'should authenticate' : function(err, user, info) {
+        assert.equal(user.id, '1');
+      },
+      'should set scheme to OAuth' : function(err, user, info) {
+        assert.equal(info.scheme, 'OAuth');
+      },
+      'should include token and verifier' : function(err, user, info) {
+        assert.equal(info.oauth.token, 'wM9YRRm5');
+        assert.equal(info.oauth.verifier, 'qriPjOnc');
+      },
+    },
+  },
+
   'strategy handling a valid request with a request token where token callback supplies info': {
     topic: function() {
       var strategy = new ConsumerStrategy(
@@ -1399,6 +1577,59 @@ vows.describe('ConsumerStrategy').addBatch({
     },
   },
 
+  'strategy handling a valid request with a request token using HMAC-SHA256 signature where token secret is wrong': {
+    topic: function() {
+      var strategy = new ConsumerStrategy(
+        // consumer callback
+        function(consumerKey, done) {
+          done(null, { id: '1' }, 'ssh-secret');
+        },
+        // token callback
+        function(requestToken, done) {
+          done(null, 'rxt0E5hKbslOEtzxD43hclL28XBZLJsF-wrong');
+        }
+      );
+      return strategy;
+    },
+    
+    'after augmenting with actions': {
+      topic: function(strategy) {
+        var self = this;
+        var req = {};
+        strategy.success = function(user, info) {
+          self.callback(new Error('should not be called'));
+        }
+        strategy.fail = function(challenge, status) {
+          self.callback(null, challenge, status);
+        }
+        strategy.error = function(err) {
+          self.callback(new Error('should not be called'));
+        }
+        
+        req.url = '/oauth/access_token';
+        req.method = 'POST';
+        req.headers = {};
+        req.headers['host'] = '127.0.0.1:3000';
+        req.headers['authorization'] = 'OAuth oauth_consumer_key="abc123",oauth_nonce="KyEf2M5ptWGDcz04jMScA2iJHkXHzkUW",oauth_signature_method="HMAC-SHA256",oauth_timestamp="1341178687",oauth_token="wM9YRRm5",oauth_verifier="qriPjOnc",oauth_version="1.0",oauth_signature="nobodycares"';
+        req.query = url.parse(req.url, true).query;
+        req.connection = { encrypted: false };
+        process.nextTick(function () {
+          strategy.authenticate(req);
+        });
+      },
+      
+      'should not generate an error' : function(err, user, info) {
+        assert.isNull(err);
+      },
+      'should respond with challenge' : function(err, challenge, status) {
+        assert.equal(challenge, 'OAuth realm="Clients", oauth_problem="signature_invalid"');
+      },
+      'should respond with default status' : function(err, challenge, status) {
+        assert.isUndefined(status);
+      },
+    },
+  },
+
   'strategy handling a valid request with a request token where consumer callback fails with an error': {
     topic: function() {
       var strategy = new ConsumerStrategy(