add tamper protection

2023-11-12 09:18:27 +05:30
parent 10813529f2
commit b4a6308d5a
2 changed files with 22 additions and 4 deletions
--- a/src/main/kotlin/com/restapi/Main.kt
+++ b/src/main/kotlin/com/restapi/Main.kt
@@ -15,6 +15,7 @@ import com.restapi.domain.Session
 import com.restapi.domain.Session.objectMapper
 import com.restapi.domain.Session.redis
 import com.restapi.domain.Session.setAuthorizedUser
+import com.restapi.domain.Session.signPayload
 import io.ebean.DataIntegrityException
 import io.ebean.DuplicateKeyException
 import io.javalin.Javalin
@@ -32,9 +33,12 @@ import java.net.http.HttpRequest
 import java.net.http.HttpRequest.BodyPublishers
 import java.net.http.HttpResponse.BodyHandlers
 import java.nio.charset.StandardCharsets
+import java.security.MessageDigest
+import java.util.*
 import java.util.concurrent.TimeUnit
 import kotlin.jvm.optionals.getOrDefault

+
 fun main(args: Array<String>) {
    val logger = LoggerFactory.getLogger("api")
    val adminRole = Role.Standard(Action.ADMIN)
@@ -104,6 +108,12 @@ fun main(args: Array<String>) {
                    it.result(atResponse.accessToken).contentType(ContentType.TEXT_PLAIN)

                }
+                get("/keys") {
+                    //for the UI to validate signature and response
+                    it.json(
+                        Session.jwk()
+                    )
+                }
            }

            before("/api/*") { ctx ->
@@ -121,15 +131,21 @@ fun main(args: Array<String>) {

                setAuthorizedUser(validateAuthToken(authToken = authToken))

-                if(appConfig.enforcePayloadEncryption()){
+                if (appConfig.enforcePayloadEncryption()) {
                    //todo: decrypt the request from user
                }
            }
            after("/api/*") {

-                it.header("X-Signature", Session.sign(it.body()))
+                val md = MessageDigest.getInstance("SHA-512")
+                md.update((it.result() ?: "").toByteArray())
+                val aMessageDigest = md.digest()

-                if(appConfig.enforcePayloadEncryption()){
+                val outEncoded: String = Base64.getEncoder().encodeToString(aMessageDigest)
+                it.header("X-Checksum", outEncoded)
+                it.header("X-Signature", signPayload(outEncoded))
+
+                if (appConfig.enforcePayloadEncryption()) {
                    //todo:, encrypt and set the response back to user
                }