Pau*_*rke 7 javascript cryptography node.js express
我正在尝试使用Node.js和Express验证从TrialPay发送的消息.TrialPay使用HMAC-MD5哈希对请求进行签名,并提供有关验证的这些说明.
这是我的代码:
app.post('/trialpay', function(req, res) {
var key = "[MY MERCHANT KEY]";
var hash = req.header("TrialPay-HMAC-MD5");
var data = req.body.toString();
var crypted = require("crypto").createHmac("md5", key)
.update(data)
.digest("hex");
if (hash == crypted) {
res.writeHead(200, {"Content-Type": "plain/text"});
res.end("Success!");
} else {
throw new Error("Invalid TrialPay Hash");
}
});
显然,这不起作用(哈希不匹配).
免责声明:我对Node.js非常陌生,并且开始时只有很少的Javascript经验.
UPDATE
我没有意识到链接受到保护.
TrialPay使用您的通知密钥(在您的帐户信息中设置)作为签署HMAC的密钥.对于GET请求,将对签名后面的问号(在URL中)进行签名.对于POST请求,整个POST正文都已签名.
以下是TrialPay如何指示您在Google App Engine(Python)中进行验证的示例:
class MyHandler(webapp.RequestHandler):
def post(self):
key = '[YOUR MERCHANT KEY]'
tphash = self.request.headers['TrialPay-HMAC-MD5']
if hmacmd5(key,self.request.body) != tphash:
logging.info('invalid trialpay hash')
return
更新2
在req.body打印出来的:
{
oid: 'sample-order-id',
sid: 'customer-sid',
order_date: '04/24/2012',
timestamp: '04/24/2012 16:28:46',
first_name: 'customer-firstname',
last_name: 'customer-lastname',
email: 'customer@trialpay.com',
revenue: '10.00',
zip_code: '94041',
country: 'US'
}
这应该可以解决问题:
var crypto = require('crypto');
function calculateSignature(key) {
return function(req, res, next) {
var hash = req.header("TrialPay-HMAC-MD5"),
hmac = crypto.createHmac("md5", key);
req.on("data", function(data) {
hmac.update(data);
});
req.on("end", function() {
var crypted = hmac.digest("hex");
if(crypted === hash) {
// Valid request
return res.send("Success!", { "Content-Type": "text/plain" });
} else {
// Invalid request
return res.send("Invalid TrialPay hash", { "Content-Type": "text/plain" }, 403);
}
});
req.on("error", function(err) {
return next(err);
});
}
}
app.post("/trialpay", calculateSignature("[MY MERCHANT KEY]"));
| 归档时间: |
|
| 查看次数: |
6472 次 |
| 最近记录: |