verify-stream.js
3.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
/*global module*/
var Buffer = require('safe-buffer').Buffer;
var DataStream = require('./data-stream');
var jwa = require('jwa');
var Stream = require('stream');
var toString = require('./tostring');
var util = require('util');
var JWS_REGEX = /^[a-zA-Z0-9\-_]+?\.[a-zA-Z0-9\-_]+?\.([a-zA-Z0-9\-_]+)?$/;
function isObject(thing) {
return Object.prototype.toString.call(thing) === '[object Object]';
}
function safeJsonParse(thing) {
if (isObject(thing))
return thing;
try { return JSON.parse(thing); }
catch (e) { return undefined; }
}
function headerFromJWS(jwsSig) {
var encodedHeader = jwsSig.split('.', 1)[0];
return safeJsonParse(Buffer.from(encodedHeader, 'base64').toString('binary'));
}
function securedInputFromJWS(jwsSig) {
return jwsSig.split('.', 2).join('.');
}
function signatureFromJWS(jwsSig) {
return jwsSig.split('.')[2];
}
function payloadFromJWS(jwsSig, encoding) {
encoding = encoding || 'utf8';
var payload = jwsSig.split('.')[1];
return Buffer.from(payload, 'base64').toString(encoding);
}
function isValidJws(string) {
return JWS_REGEX.test(string) && !!headerFromJWS(string);
}
function jwsVerify(jwsSig, algorithm, secretOrKey) {
if (!algorithm) {
var err = new Error("Missing algorithm parameter for jws.verify");
err.code = "MISSING_ALGORITHM";
throw err;
}
jwsSig = toString(jwsSig);
var signature = signatureFromJWS(jwsSig);
var securedInput = securedInputFromJWS(jwsSig);
var algo = jwa(algorithm);
return algo.verify(securedInput, signature, secretOrKey);
}
function jwsDecode(jwsSig, opts) {
opts = opts || {};
jwsSig = toString(jwsSig);
if (!isValidJws(jwsSig))
return null;
var header = headerFromJWS(jwsSig);
if (!header)
return null;
var payload = payloadFromJWS(jwsSig);
if (header.typ === 'JWT' || opts.json)
payload = JSON.parse(payload, opts.encoding);
return {
header: header,
payload: payload,
signature: signatureFromJWS(jwsSig)
};
}
function VerifyStream(opts) {
opts = opts || {};
var secretOrKey = opts.secret||opts.publicKey||opts.key;
var secretStream = new DataStream(secretOrKey);
this.readable = true;
this.algorithm = opts.algorithm;
this.encoding = opts.encoding;
this.secret = this.publicKey = this.key = secretStream;
this.signature = new DataStream(opts.signature);
this.secret.once('close', function () {
if (!this.signature.writable && this.readable)
this.verify();
}.bind(this));
this.signature.once('close', function () {
if (!this.secret.writable && this.readable)
this.verify();
}.bind(this));
}
util.inherits(VerifyStream, Stream);
VerifyStream.prototype.verify = function verify() {
try {
var valid = jwsVerify(this.signature.buffer, this.algorithm, this.key.buffer);
var obj = jwsDecode(this.signature.buffer, this.encoding);
this.emit('done', valid, obj);
this.emit('data', valid);
this.emit('end');
this.readable = false;
return valid;
} catch (e) {
this.readable = false;
this.emit('error', e);
this.emit('close');
}
};
VerifyStream.decode = jwsDecode;
VerifyStream.isValid = isValidJws;
VerifyStream.verify = jwsVerify;
module.exports = VerifyStream;