I made a makeshift 'sso server' which I want to connect to Wix Answers. Wix is a CMS. Wix Answers is a help center where you can customer FAQs, have customers receive support videos, and the customer can enter tickets. Wix answers are what Wix uses for Wix's help pages and they make the same app available to users for the same purpose.
My 'sso server' is an AWS API Gateway pointing to a Lambda function. Pretty straight forward. You call the public endpoint and it runs this lambda:
var express = require('express');
var app = express();
var crypto = require('crypto'); //npm install crypto --save
var base64url = require('base64url'); //npm install base64url --save
var bodyParser = require('body-parser');
var KEY_ID = '1234567'; //note it's a uuid
var SECRET = '1234567xxxxxxxxxxxxxxxxxxxxxxxxxxx';
exports.handler = async (event) => {
//this assumes there is a login or some UI that will receive the needed redirect url
app.get('/login-form', function (request, response) {
var url = require('url');
var urlParts = url.parse(request.url, true);
var query = urlParts.query;
var answersRedirectUrl = query.redirectUrl;
//of course, in a real system the data will come from your own user system
var dummyUserData = {
id: 'your-user-id',
email: 'user#email.com',
firstName: 'Bob2',
lastName: 'Bobson',
profileImage: 'https://i.ytimg.com/vi/-90CAdWk27I/maxresdefault.jpg',
timestamp: Date.now()
};
var token = encryptUserData(JSON.stringify(dummyUserData), SECRET);
response.redirect(answersRedirectUrl + '&token=' + token + '&key=' + KEY_ID);
});
};
function encryptUserData(data, key) {
var iv = new Buffer('');
var bytes = new Buffer(key, 'utf-8');
var hashedKey = crypto.createHash('sha1').update(bytes).digest().slice(0, 16);
var cipher = crypto.createCipheriv('aes-128-ecb', hashedKey, iv);
var crypted = cipher.update(data, 'UTF-8', 'hex');
crypted += cipher.final('hex');
return base64url(new Buffer(crypted, 'hex'));
}
This code is a lambda modified version of the code Wix Answers sample js code from, here.
https://help.wixanswers.com/en/article/setting-up-single-sign-on-sso-for-your-users
There are dependencies, and I have loaded them all into a lambda, so its not a dependency issue.
Wix Answers is an easy setup, you give them a url for login and logout. you generate a key inside of Wix answers dashboard, and I have added that key to my lambda below (the ones below are masked obviously). I've added my endpoint to the field in wix answers.
I'm getting a null response and was able to get an object with object.message = "missing auth token"
Focusing on the JS and the lambda, is there anything that I am leaving out that would make this not work. Again not a lot of experience with express and these dependencies, or with SSO.
Thanks!!
Wix Has some good tools but lacks documentation sometimes. Here is how I solved this problem:
tutorial https://help.wixanswers.com/en/article/setting-up-single-sign-on-sso-for-your-users
their JS code from https://gist.github.com/GabiGrin/0c92ecbb071e02e2d91c8d689517acd7#file-answers-sso-example-js
What I did
//encrypt.js
var crypto = require('crypto'); //built in to node
var base64url = require('base64url'); //requires install 'npm install base64url'
var KEY_ID = 'abcedfghijklmnopqrstuvwxyz'; //from Wix Answers
var SECRET = 'fakefakefakefakefakefake'; //from Wix Answers
let user = {
id: '123456',
email: 'email#domain.com',
firstName: 'Homer',
lastName: 'Simpson',
profileImage: 'https://i.ytimg.com/vi/-90CAdWk27I/maxresdefault.jpg',
timestamp: Date.now()
};
function encryptUserData(data, key) {
var iv = new Buffer('');
var bytes = new Buffer(key, 'utf-8');
var hashedKey = crypto.createHash('sha1').update(bytes).digest().slice(0, 16);
var cipher = crypto.createCipheriv('aes-128-ecb', hashedKey, iv);
var crypted = cipher.update(data, 'UTF-8', 'hex');
crypted += cipher.final('hex');
return base64url(new Buffer(crypted, 'hex'));
}
var token = encryptUserData(JSON.stringify(user), SECRET);
console.log(`https://mysite.wixanswers.com/api/v1/accounts/callback/sso?redirectUrl=https%3A%2F%2Fmysite.wixanswers.com%2Fen&token=${token}&key=${KEY_ID}`);
Since my project is a concept, I have not integrated with a real identity server, as you can see i skip the authentication and go right to authorization (for my hard coded user: Homer Simpson). To mkae it work i'd need to add authentication and pass a dynamic user object to an export function in the module.
for the sake of the concept tho:
from the shell 'node encrypt.js'
returns a redirect URL in the console - when followed, successfully signs you into the Wix Answers platform with the proper user object.
Related
I wrote an interface to make requests to the internal audible api with python. Every API request needs to be signed with RSA SHA256.
Now I want to test the endpoints of the API with Postman and make use of the pre request script function. But I'm not firm with javascript. Maybe someone can help me in translate the following python function to a Postman script:
def sign_request(
request: httpx.Request, adp_token: str, private_key: str
) -> httpx.Request:
"""
Helper function who creates a signed requests for authentication.
:param request: The request to be signed
:param adp_token: the token is obtained after register as device
:param private_key: the rsa key obtained after register as device
:returns: The signed request
"""
method = request.method
path = request.url.path
query = request.url.query
body = request.content.decode("utf-8")
date = datetime.utcnow().isoformat("T") + "Z"
if query:
path += f"?{query}"
data = f"{method}\n{path}\n{date}\n{body}\n{adp_token}"
key = rsa.PrivateKey.load_pkcs1(private_key.encode())
cipher = rsa.pkcs1.sign(data.encode(), key, "SHA-256")
signed_encoded = base64.b64encode(cipher)
signed_header = {
"x-adp-token": adp_token,
"x-adp-alg": "SHA256withRSA:1.0",
"x-adp-signature": f"{signed_encoded.decode()}:{date}"
}
request.headers.update(signed_header)
return request
I found out how to get the request method and the body. I can get the path and query with pm.request.url.getPathWithQuery(). To add the headers to the request I use pm.request.headers.add.
But I doesn't know how to get the datetime in isoformat, join strings and sign the data.
I'm get it running with the pm lib. Thank you for your help.
The only issue is getting the private cert, who contains newlines, from env var gives an error with these code sig.init(privateKey);. I had to write the private cert string directly in the pre request script.
Here are my script.
eval( pm.globals.get('pmlib_code') );
var CryptoJS = require("crypto-js");
var moment = require("moment");
const adpToken = pm.environment.get("adp-token")
// private-key loaded from env var doesn't work because of newlines in it; bugfix
const privateKey = pm.environment.get("private-key")
// use private-key in pre request script directly make use of newline correctly
const privateKey2 = "-----BEGIN RSA PRIVATE KEY-----\nMIIE...==\n-----END RSA PRIVATE KEY-----\n"
signRequest(pm.request, adpToken, privateKey);
function signRequest(request, adpToken, privateKey2) {
const method = request.method;
const path = request.url.getPathWithQuery();
const body = request.body || "";
const date = moment.utc().format();
const data = `${method}\n${path}\n${date}\n${body}\n${adpToken}`;
var sig = new pmlib.rs.KJUR.crypto.Signature({"alg": "SHA256withRSA"});
sig.init(privateKey);
var hash = sig.signString(data);
const signedEncoded = CryptoJS.enc.Base64.stringify(CryptoJS.enc.Hex.parse(hash));
pm.request.headers.add({
key: 'x-adp-token',
value: adpToken
});
pm.request.headers.add({
key: 'x-adp-alg',
value: 'SHA256withRSA:1.0'
});
pm.request.headers.add({
key: 'x-adp-signature',
value: `${signedEncoded}:${date}`
});
}
UPDATE:
Now reading the device cert from env var works. I had to replace const privateKey = pm.environment.get("private-key") with const privateKey = pm.environment.get("private-key").replace(/\\n/g, "\n")
The problem to make this in Postman is that you can use only those packages available in sandbox. So for this, you have crypto-js as the unique package helper for crypto operations.
var CryptoJS = require("crypto-js");
var moment = require("moment");
signRequest(pm.request, "yourAdpToken", "yourPrivateKey")
function signRequest(request, adpToken, privateKey) {
const method = request.method;
const path = request.url.getPathWithQuery();
const body = request.body.raw;
const date = moment.utc().format();
const data = `${method}\n${path}\n${date}\n${body}\n${adpToken}`
const hash = CryptoJS.HmacSHA256(data, privateKey);
const signedEncoded = CryptoJS.enc.Base64.stringify(hash);
pm.request.headers.add({
key: 'x-adp-token',
value: adpToken
});
pm.request.headers.add({
key: 'x-adp-alg',
value: 'SHA256withRSA:1.0'
});
pm.request.headers.add({
key: 'x-adp-signature',
value: `${CryptoJS.enc.Base64.parse(signedEncoded)}:${date}`
});
}
Adding the above to the Pre-request Script will add your wanted headers to the request like this:
You may need to change the encode parts, check the encode options
I am trying to create a signed JWT in postman with the following code
function base64url(source) {
// Encode in classical base64
encodedSource = CryptoJS.enc.Base64.stringify(source);
// Remove padding equal characters
encodedSource = encodedSource.replace(/=+$/, '');
// Replace characters according to base64url specifications
encodedSource = encodedSource.replace(/\+/g, '-');
encodedSource = encodedSource.replace(/\//g, '_');
return encodedSource;
}
function addIAT(request) {
var iat = Math.floor(Date.now() / 1000) + 257;
data.iat = iat;
return data;
}
var header = {
"typ": "JWT",
"alg": "HS256"
};
var data = {
"fname": "name",
"lname": "name",
"email": "email#domain.com",
"password": "abc123$"
};
data = addIAT(data);
var secret = 'myjwtsecret';
// encode header
var stringifiedHeader = CryptoJS.enc.Utf8.parse(JSON.stringify(header));
var encodedHeader = base64url(stringifiedHeader);
// encode data
var stringifiedData = CryptoJS.enc.Utf8.parse(JSON.stringify(data));
var encodedData = base64url(stringifiedData);
// build token
var token = encodedHeader + "." + encodedData;
// sign token
var signature = CryptoJS.HmacSHA256(token, secret);
signature = base64url(signature);
var signedToken = token + "." + signature;
postman.setEnvironmentVariable("payload", signedToken);
Code taken from https://gist.github.com/corbanb/db03150abbe899285d6a86cc480f674d .
I've been trying to input the PEM as the secret but does not work. Also can't find any HmacSHA256 overload that takes a PEM.
How can that be done?
The mention of postman changed this. I have a solution for you, but it's not exactly a clean way by any mean.
You'll need to create a request that you will need to execute whenever you open postman. Go as follows:
The purpose of this request is to side-load jsrsasign-js and storing it in a global Postman variable.
Once this is done, you can then use this content elsewhere. For every request you need a RSA256 JWT signature, the following pre-request script will update a variable (here, token) with the token:
var navigator = {};
var window = {};
eval(pm.globals.get("jsrsasign-js"));
function addIAT(request) {
var iat = Math.floor(Date.now() / 1000) + 257;
data.iat = iat;
return data;
}
var header = {"alg" : "RS256","typ" : "JWT"};
var data = {
"fname": "name",
"lname": "name",
"email": "email#domain.com",
"password": "abc123$"
};
data = addIAT(data);
var privateKey = "-----BEGIN RSA PRIVATE KEY----- \
MIIBOQIBAAJAcrqH0L91/j8sglOeroGyuKr1ABvTkZj0ATLBcvsA91/C7fipAsOn\
RqRPZr4Ja+MCx0Qvdc6JKXa5tSb51bNwxwIDAQABAkBPzI5LE+DuRuKeg6sLlgrJ\
h5+Bw9kUnF6btsH3R78UUANOk0gGlu9yUkYKUkT0SC9c6HDEKpSqILAUsXdx6SOB\
AiEA1FbR++FJ56CEw1BiP7l1drM9Mr1UVvUp8W71IsoZb1MCIQCKUafDLg+vPj1s\
HiEdrPZ3pvzvteXLSuniH15AKHEuPQIhAIsgB519UysMpXBDbtxJ64jGj8Z6/pOr\
NrwV80/EEz45AiBlgTLZ2w2LjuNIWnv26R0eBZ+M0jHGlD06wcZK0uLsCQIgT1kC\
uNcDTERjwEbFKJpXC8zTLSPcaEOlbiriIKMnpNw=\
-----END RSA PRIVATE KEY-----";
var sHeader = JSON.stringify(header);
var sPayload = JSON.stringify(data);
var sJWT = KJUR.jws.JWS.sign(header.alg, sHeader, sPayload, privateKey);
pm.variables.set('token', sJWT);
In order:
I define mock window and navigator objects as jsrsasign-js needs them.
I then eval() the content of what we fetched earlier in order to rehydrate everything
The rest of your code is simple usage of jsrsasign-js. Your token info is there, and I've defined a private key there. You can change this or use an environment variable; it's just there for demo purposes. I then simply use the rehydrated library to sign it, and set the variable to the value of the signed JWT.
A PEM, as you refer to it, is a container format specifying a combination of public and/or private key. You're using it to sign using HMAC-SHA256, which operates on a shared secret. This obviously isn't going to work (unless you take the poor man's approach and use your public key as the shared secret).
Fortunately enough, there are other signature methods defined in the RFCs. For instance, there is a way to sign using RSA, and a very convenient way of defining a public key as a JSON web key (JWK). We're going to be leveraging both.
I've generated a key pair for testing, they're named out and out.pub. Generation tool is genrsa (and as such, they're an RSA keypair).
In order to sign, we're going to have to change a few things:
We're changing algorithms from HS256 to RS256, as explained above
We're going to need a new library to do the signing itself, as crypto-js does not support asymmetric key crypto. We'll fall back to the native crypto module, though there are pure-JS alternatives
The code:
var CryptoJS = require("crypto-js");
var keyFileContent = require("fs").readFileSync("./out");
var pubkey = require("fs").readFileSync("./out.pub");
var base64url = require("base64url");
var nJwt = require("njwt");
function addIAT(request) {
var iat = Math.floor(Date.now() / 1000) + 257;
data.iat = iat;
return data;
}
var header = {
"typ": "JWT",
"alg": "RS256"
};
var data = {
"fname": "name",
"lname": "name",
"email": "email#domain.com",
"password": "abc123$"
};
data = addIAT(data);
// encode header
var stringifiedHeader = JSON.stringify(header);
var encodedHeader = base64url(stringifiedHeader);
// encode data
var stringifiedData = JSON.stringify(data);
var encodedData = base64url(stringifiedData);
// build token
var token = encodedHeader + "." + encodedData;
// sign token
var signatureAlg = require("crypto").createSign("sha256");
signatureAlg.update(token);
var signature = signatureAlg.sign(keyFileContent);
signature = base64url(signature);
var signedToken = token + "." + signature;
console.log(signedToken);
// Verify
var verifier = new nJwt.Verifier();
verifier.setSigningAlgorithm('RS256');
verifier.setSigningKey(pubkey);
verifier.verify(signedToken, function() {
console.log(arguments);
});
And that's it! It's quite literally that simple, although I would not recommend rewriting the sign() function from crypto from scratch. Leave it to a library that has had thorough inspection by the community, and crypto is pretty serious business.
I developed a desktop application with nwjs (nodejs / html / css ), now i want to put the app for the production so i need to prevent stealing my assets (my images are very valuables), nwjs provide a tool to compile (encrypt) the js files but not the asset so i thought about encrypting my assets with a js then encrypt the js with nwjs tool, i am not very familiare with node modules and dealing with files in js so i struggled with this task !
This code is what i tried to do but i did not reach my goal ?
encrypt
let crypto;
try {
crypto = require('crypto');
} catch (err) {
console.log('crypto support is disabled!');
}
var algorithm = 'aes-256-ctr',
password = 'secret';
var fs = require('fs');
var r;
// encrypt content
var encrypt = crypto.createCipher(algorithm, password);
// decrypt content
var decrypt = crypto.createDecipher(algorithm, password);
// write file
var w;
var path = require('path');
var dirPath = './Files/'; //directory path
var fileType = '.' + 'jpg'; //file extension
var files = [];
fs2.readdir(dirPath, function (err, list) {
if (err) throw err;
for (var i = 0; i < list.length; i++) {
if (path.extname(list[i]) === fileType) {
r = fs.createReadStream('Files/' + list[i]);
w = fs.createWriteStream('encFiles/' + list[i].replace('.jpg', ''));
console.log(list[i]); //print the file
// start pipe
r.pipe(encrypt).pipe(w);
}
}
});
decrypt
'use strict';
var crypt = require('crypto'),
algorithm = 'aes-256-ctr',
password = 'secret';
var fs = require('fs');
var zlib = require('zlib');
var toArray = require('stream-to-array');
// input file
var r = fs.createReadStream('./encFiles/an example file');
// decrypt content
var decrypt = crypt.createDecipher(algorithm, password);
//b64 module so i could put the base64 data to img html element
const B64 = require('b64');
const encoder = new B64.Encoder();
// start pipe
var stream = r.pipe(decrypt);
var d = stream.pipe(encoder);
d.pipe(process.stdout);
var data;
toArray(stream, function(err, arr) {
console.log(err,arr);
data = Buffer.concat(arr);
console.log(data);
});
console.log(data);
thank you for giving me comments on the code or other IDEAS
So the solution was so simple, I used the nw-js code protection feature to protected the script in which I decrypt the assets (images in my case) (this script contains the key of decryption), so you could implement the encryption/decryption with any method you want and protect the decryption script which is going to be shipped with you product (in my case the desktop app).
Since you are building a desktop app, you may want to look at cryptojs for this. I would still strongly suggest that you watermark images and hide them when your application looses focus. Even with that, screenshots can be taken without leaving your application.
So I'm building a connector using the Domo developer tool (they like to call it an IDE) and I just can't seem to get the authentication piece working with their libraries.
Domo uses httprequest library for basic and oauth types of authentication.
I'm having trouble getting token back through Domo, but I can easily do it through a curl or by using the Postman api tool.
Here's the code below:
var client_id = '4969e1ea-71b9-3267-ae7d-4ce0ac6bfa28';
var client_secret = '*****************************';
var user = '*********';
var pass = '*********';
var postData =
{
data: {
'grant_type': 'password',
'username': user,
'password': pass,
'client_id': client_id,
'client_secret': client_secret,
'scope': 'internal'
}
};
var res = httprequest.post('https://rest.synthesio.com/security/v1/oauth/token', postData);
DOMO.log('res: ' + res);
Pleae let me know if you have a different way of approaching this. I've tried to add the header within the postData object itself as well as removing the data variable, leaving the attributes as is, too.
When you past the postData as an object like that, DOMO will run it through JSON.stringify and send the result in the request body.
You can either encode the request body manually or use their httprequest.addParameter function to add them. Try something like this:
var client_id = '4969e1ea-71b9-3267-ae7d-4ce0ac6bfa28';
var client_secret = '*****************************';
var user = '*********';
var pass = '*********';
httprequest.addParameter('grant_type', 'password');
httprequest.addParameter('username', user);
httprequest.addParameter('password', pass);
httprequest.addParameter('client_id', client_id);
httprequest.addParameter('client_secret', client_secret);
httprequest.addParameter('scope', 'internal');
var res = httprequest.post('https://rest.synthesio.com/security/v1/oauth/token');
DOMO.log('res: ' + res);
I'm trying to use VersionOne JS SDK in Node.js (https://github.com/versionone/VersionOne.SDK.JavaScript). I'm simply downloading whole library, placing it alongside with my js file:
var v1 = require('./v1sdk/v1sdk.js');
var V1Server = v1.V1Server;
console.log(v1);
console.log(V1Server);
Unfortunately something seems wrong, the output I get after calling
node app.js
is:
{}
undefined
Can somebody point me what I'm doing wrong or check whether the sdk is valid.
Thanks!
You can see in the source where V1Server is defined, that it's a class with a constructor. So you need to use the new keyword and pass the arguments for your environment.
https://github.com/versionone/VersionOne.SDK.JavaScript/blob/master/client.coffee#L37
var server = new V1Server('cloud'); //and more if you need
Can you try the sample.js script that I just updated from here:
https://github.com/versionone/VersionOne.SDK.JavaScript/blob/master/sample.js
It pulls in the two modules like this:
var V1Meta = require('./v1meta').V1Meta;
var V1Server = require('./client').V1Server;
var hostname = "www14.v1host.com";
var instance = "v1sdktesting";
var username = "api";
var password = "api";
var port = "443";
var protocol = "https";
var server = new V1Server(hostname, instance, username, password, port, protocol);
var v1 = new V1Meta(server);
v1.query({
from: "Member",
where: {
IsSelf: 'true'
},
select: ['Email', 'Username', 'ID'],
success: function(result) {
console.log(result.Email);
console.log(result.Username);
console.log(result.ID);
},
error: function(err) { // NOTE: this is not working correctly yet, not called...
console.log(err);
}
});
You might have to get the latest and build the JS from CoffeeScript.
I think I was trying out "browserify" last year and that's how the "v1sdk.js" file got generated. But I'm not sure if that's the best approach if you're using node. It's probably better just to do it the way the sample.js file is doing it.
However, I did also check in a change to v1sdk.coffee which property exports the two other modules, just as a convenience. With that, you can look at sample2.js. The only different part there is this, which is more like you were trying to do with your example:
var v1sdk = require('./v1sdk');
var hostname = "www14.v1host.com";
var instance = "v1sdktesting";
var username = "api";
var password = "api";
var port = "443";
var protocol = "https";
var server = new v1sdk.V1Server(hostname, instance, username, password, port, protocol);
var v1 = new v1sdk.V1Meta(server);