Skip to content

Commit

Permalink
πŸ› pomelo: fix parsing & verification
Browse files Browse the repository at this point in the history
  • Loading branch information
jgalat authored and cruzdanilo committed Dec 13, 2023
1 parent b46c451 commit 1cdc3d1
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 12 deletions.
2 changes: 1 addition & 1 deletion pomelo/api/transactions/authorizations.ts
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ export default async function authorizations(request: VercelRequest, response: V
return response.status(403).end("forbidden");
}

const parsed = authorizationRequest.safeParse(raw);
const parsed = authorizationRequest.safeParse(JSON.parse(raw));

if (parsed.success) {
const tx = await processTransaction(parsed.data);
Expand Down
14 changes: 8 additions & 6 deletions pomelo/utils/buffer.ts
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
import type { Readable } from "node:stream";

export default async function buffer(readable: Readable) {
const chunks = [];
for await (const chunk of readable) {
chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
}
return Buffer.concat(chunks);
export default function buffer(request: Readable): Promise<Buffer> {
return new Promise((r) => {
const chunks: Buffer[] = [];
request.on("data", (chunk: Buffer | string) => chunks.push(Buffer.from(chunk)));
request.on("end", () => {
r(Buffer.concat(chunks));
});
});
}
10 changes: 5 additions & 5 deletions pomelo/utils/verify.ts
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ export function verifySignature(request: VercelRequest, body: string) {
let signature = request.headers["x-signature"];
const apiKey = request.headers["x-api-key"];

if (!valid(endpoint) || !valid(timestamp) || !valid(apiKey) || Array.isArray(apiKey) || !valid(signature)) {
if (!valid(endpoint) || !valid(timestamp) || !valid(apiKey) || !valid(signature)) {
return false;
}

if (!POMELO_API_KEY) return false;
if (apiKey !== POMELO_API_KEY || !POMELO_API_SECRET) return false;

if (signature.startsWith("hmac-sha256")) {
signature = signature.replace("hmac-sha256 ", "");
Expand All @@ -28,7 +28,7 @@ export function verifySignature(request: VercelRequest, body: string) {
}

const hmac = crypto
.createHmac("sha256", Buffer.from(POMELO_API_KEY, "base64"))
.createHmac("sha256", Buffer.from(POMELO_API_SECRET, "base64"))
.update(timestamp)
.update(endpoint)
.update(body);
Expand All @@ -47,11 +47,11 @@ export function signResponse(request: VercelRequest, response: VercelResponse, t
return response.status(400).end("bad request");
}

if (!POMELO_API_KEY) return response.status(500).end("internal server error");
if (apiKey !== POMELO_API_KEY || !POMELO_API_SECRET) return response.status(500).end("internal server error");

const timestamp = Math.floor(Date.now() / 1000).toString();

const hmac = crypto.createHmac("sha256", Buffer.from(POMELO_API_KEY, "base64")).update(timestamp).update(endpoint);
const hmac = crypto.createHmac("sha256", Buffer.from(POMELO_API_SECRET, "base64")).update(timestamp).update(endpoint);
if (text) hmac.update(text);

const hash = hmac.digest("base64");
Expand Down

0 comments on commit 1cdc3d1

Please sign in to comment.