/**
  * Handle an incoming request.
  *
  * @param Request $request
  * @param Closure $next
  *
  * @return mixed
  */
 public function handle($request, Closure $next)
 {
     $validationResult = Spec::define(['content-hash' => PrimitiveTypeConstraint::forType(ScalarTypes::SCALAR_STRING), 'authorization' => PrimitiveTypeConstraint::forType(ScalarTypes::SCALAR_STRING)], [], ['content-hash', 'authorization'])->check(array_map(function ($entry) {
         return $entry[0];
     }, $request->headers->all()));
     if ($validationResult->failed()) {
         return ApiResponse::makeFromSpec($validationResult)->toResponse();
     }
     $authorization = str_replace('Hash ', '', $request->headers->get('Authorization'));
     $content = $request->getContent();
     try {
         $pair = $this->finder->byPublicId($authorization, KeyPairTypes::TYPE_HMAC);
         $hasher = new HmacHasher();
         $verificationResult = $hasher->verify($request->headers->get('Content-Hash'), $content . Carbon::now()->format($this->format), $pair->getSecretKey());
         if ($verificationResult) {
             $request->attributes->set(static::ATTRIBUTE_KEYPAIR, $pair);
             return $next($request);
         }
         return ApiResponse::create([], ApiResponse::STATUS_INVALID, ['HMAC content hash does not match the expected hash.'])->toResponse();
     } catch (ModelNotFoundException $ex) {
         if ($ex->getModel() === KeyPair::class) {
             return ApiResponse::create([], ApiResponse::STATUS_INVALID, ['Unable to locate public ID. Check your credentials'])->toResponse();
         }
         throw $ex;
     }
 }
Example #2
0
 public function testVerify()
 {
     $hasher = new HmacHasher();
     $private = Str::random(256);
     $private2 = Str::random(256);
     $hash1 = $hasher->hash('this is a test', $private);
     $hash2 = $hasher->hash('another test', $private2);
     $this->assertEqualsMatrix([[true, $hasher->verify($hash1, 'this is a test', $private)], [false, $hasher->verify($hash1, 'this is a test', $private2)], [false, $hasher->verify($hash2, 'this is a test', $private)], [false, $hasher->verify($hash1, 'th1s 1s 4 t3st', $private)], [false, $hasher->verify($hash2, 'another test', $private)], [true, $hasher->verify($hash2, 'another test', $private2)]]);
 }
Example #3
0
 /**
  * Generate the content hash using the content string and the current date.
  *
  * @param $content
  *
  * @return string
  */
 public function hash($content)
 {
     return $this->hasher->hash($content . Carbon::now()->format('Y-m-d H:i'), $this->keyPair->secret_key);
 }
 public function testHandleWithMissingAuthorization()
 {
     $generator = new KeyPairGenerator();
     $hasher = new HmacHasher();
     $pair = $generator->generateHmac();
     $content = json_encode(['doge' => 'much secret']);
     $brokenRequest = Request::create('/auth/something/important/dont/hax/pls', 'POST', [], [], [], [], $content);
     $brokenRequest->headers->set('Content-Hash', $hasher->hash($content, $pair->getSecretKey()));
     $finder = m::mock(KeyPairFinderInterface::class);
     $finder->shouldReceive('byPublicId')->with($pair->getPublicId(), KeyPairTypes::TYPE_HMAC)->once()->andReturn($pair);
     $instance = new HmacMiddleware($finder);
     $response = $instance->handle($brokenRequest, function () {
         //
     });
     $body = Std::jsonDecode($response->getContent());
     $this->assertEqualsMatrix([['One or more fields are invalid. Please check your input.', $body['messages'][0]], [['authorization'], $body['missing']]]);
 }