HMAC MD5使用Node.js，Express和Trialpay验证 [英] HMAC MD5 Validation with Node.js, Express and Trialpay

问题描述

我尝试使用Node.js和Express对从TrialPay发送的邮件进行身份验证。 TrialPay使用HMAC-MD5哈希对请求进行签名，并在验证时提供这些说明。

I'm trying to authenticate a message sent from TrialPay using Node.js and Express. TrialPay signs requests with an HMAC-MD5 hash, and provides these instructions on validating.

这是我的代码：

app.post('/trialpay', function(req, res) {

    var key = "[MY MERCHANT KEY]";
    var hash = req.header("TrialPay-HMAC-MD5");
    var data = req.body.toString();

    var crypted = require("crypto").createHmac("md5", key)
        .update(data)
        .digest("hex");

    if (hash == crypted) {
        res.writeHead(200, {"Content-Type": "plain/text"});
        res.end("Success!");
    } else {
        throw new Error("Invalid TrialPay Hash");
    }  
});

很显然，这不工作（哈希不匹配）。

This is, obviously, not working (hash doesn't match).

免责声明：我对Node.js非常新，并且没有Javascript体验。

Disclaimer: I'm extremely new to Node.js, and have little Javascript experience, to begin with.

UPDATE

我没有意识到链接受到保护。

I did not realize that the link was protected.

TrialPay使用您的通知密钥（在您的帐户信息中设置）
作为HMAC签名的密钥。对于GET请求，在问号（在URL中）后面的查询字符串
是有符号的。对于POST
请求，整个POST正文都已签名。

TrialPay uses your Notification-Key (set in your account information) as the secret key to sign the HMAC. For GET requests the query string that follows the question mark (in the URL) is signed. For POST requests the entire POST body is signed.

这里是TrialPay如何指示您在Google App Engine（Python）：

Here is an example of how TrialPay instructs you to validate in Google App Engine (Python):

class MyHandler(webapp.RequestHandler):
  def post(self):
  key = '[YOUR MERCHANT KEY]'
  tphash = self.request.headers['TrialPay-HMAC-MD5'] 
  if hmacmd5(key,self.request.body) != tphash:
    logging.info('invalid trialpay hash')
    return 

UPDATE 2

req.body 打印为：

{ 
  oid: 'sample-order-id',
  sid: 'customer-sid',
  order_date: '04/24/2012',
  timestamp: '04/24/2012 16:28:46',
  first_name: 'customer-firstname',
  last_name: 'customer-lastname',
  email: 'customer@trialpay.com',
  revenue: '10.00',
  zip_code: '94041',
  country: 'US' 
}

推荐答案

$ b

This should do the trick:

var crypto = require('crypto');

function calculateSignature(key) {
    return function(req, res, next) {
        var hash = req.header("TrialPay-HMAC-MD5"),
            hmac = crypto.createHmac("md5", key);

        req.on("data", function(data) {
            hmac.update(data);
        });

        req.on("end", function() {
            var crypted = hmac.digest("hex");

            if(crypted === hash) {
                // Valid request
                return res.send("Success!", { "Content-Type": "text/plain" });
            } else {
                // Invalid request
                return res.send("Invalid TrialPay hash", { "Content-Type": "text/plain" }, 403);
            }
        });

        req.on("error", function(err) {
            return next(err);
        });
    }
}

app.post("/trialpay", calculateSignature("[MY MERCHANT KEY]"));

这篇关于HMAC MD5使用Node.js，Express和Trialpay验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！