|
| 1 | +/** |
| 2 | + * Tests for raw body buffer capture functionality |
| 3 | + * This ensures exact bytes are preserved for v4 HMAC authentication |
| 4 | + * @prettier |
| 5 | + */ |
| 6 | +import 'should'; |
| 7 | +import 'should-http'; |
| 8 | +import 'should-sinon'; |
| 9 | +import '../../lib/asserts'; |
| 10 | +import * as sinon from 'sinon'; |
| 11 | +import * as express from 'express'; |
| 12 | +import { agent as supertest, Response } from 'supertest'; |
| 13 | +import { app as expressApp } from '../../../src/expressApp'; |
| 14 | + |
| 15 | +describe('Raw Body Buffer Capture', () => { |
| 16 | + const sandbox = sinon.createSandbox(); |
| 17 | + |
| 18 | + afterEach(() => { |
| 19 | + sandbox.verifyAndRestore(); |
| 20 | + }); |
| 21 | + |
| 22 | + describe('body-parser verify callback', () => { |
| 23 | + let agent: ReturnType<typeof supertest>; |
| 24 | + |
| 25 | + beforeEach(() => { |
| 26 | + const app = expressApp({ |
| 27 | + env: 'test', |
| 28 | + disableProxy: true, |
| 29 | + } as any); |
| 30 | + |
| 31 | + // Add a test route that returns the rawBodyBuffer info |
| 32 | + app.post('/test/rawbody', (req: express.Request, res: express.Response) => { |
| 33 | + res.json({ |
| 34 | + hasRawBodyBuffer: !!req.rawBodyBuffer, |
| 35 | + rawBodyBufferLength: req.rawBodyBuffer?.length || 0, |
| 36 | + rawBodyBufferContent: req.rawBodyBuffer?.toString('utf-8') || null, |
| 37 | + parsedBody: req.body, |
| 38 | + bodyKeysCount: Object.keys(req.body || {}).length, |
| 39 | + }); |
| 40 | + }); |
| 41 | + |
| 42 | + // Add a test route for HMAC verification |
| 43 | + app.post('/test/hmac-check', (req: express.Request, res: express.Response) => { |
| 44 | + const rawBytes = req.rawBodyBuffer; |
| 45 | + const reSerializedBytes = Buffer.from(JSON.stringify(req.body)); |
| 46 | + |
| 47 | + res.json({ |
| 48 | + rawBytesHex: rawBytes?.toString('hex') || null, |
| 49 | + reSerializedBytesHex: reSerializedBytes.toString('hex'), |
| 50 | + bytesMatch: rawBytes?.toString('hex') === reSerializedBytes.toString('hex'), |
| 51 | + rawLength: rawBytes?.length || 0, |
| 52 | + reSerializedLength: reSerializedBytes.length, |
| 53 | + }); |
| 54 | + }); |
| 55 | + |
| 56 | + // Add a test route for HMAC chain simulation |
| 57 | + app.post('/test/hmac-chain', (req: express.Request, res: express.Response) => { |
| 58 | + const clientBytes = req.rawBodyBuffer; |
| 59 | + const parsedAndSerialized = Buffer.from(JSON.stringify(req.body)); |
| 60 | + |
| 61 | + res.json({ |
| 62 | + clientBytesPreserved: !!clientBytes, |
| 63 | + wouldHmacMatch: clientBytes?.toString('hex') === parsedAndSerialized.toString('hex'), |
| 64 | + recommendation: clientBytes ? 'Use rawBodyBuffer for HMAC' : 'Missing rawBodyBuffer', |
| 65 | + }); |
| 66 | + }); |
| 67 | + |
| 68 | + agent = supertest(app); |
| 69 | + }); |
| 70 | + |
| 71 | + it('should capture raw body buffer on POST requests', async () => { |
| 72 | + const testBody = { address: 'tb1qtest', amount: 100000 }; |
| 73 | + |
| 74 | + const res: Response = await agent.post('/test/rawbody').set('Content-Type', 'application/json').send(testBody); |
| 75 | + |
| 76 | + res.status.should.equal(200); |
| 77 | + res.body.hasRawBodyBuffer.should.equal(true); |
| 78 | + res.body.rawBodyBufferLength.should.be.greaterThan(0); |
| 79 | + res.body.parsedBody.should.deepEqual(testBody); |
| 80 | + }); |
| 81 | + |
| 82 | + it('should preserve exact bytes including whitespace', async () => { |
| 83 | + // JSON with extra whitespace that would be lost during parse/re-serialize |
| 84 | + const bodyWithWhitespace = '{"address": "tb1qtest", "amount":100000}'; |
| 85 | + |
| 86 | + const res: Response = await agent |
| 87 | + .post('/test/rawbody') |
| 88 | + .set('Content-Type', 'application/json') |
| 89 | + .send(bodyWithWhitespace); |
| 90 | + |
| 91 | + res.status.should.equal(200); |
| 92 | + // Raw buffer should preserve the exact whitespace |
| 93 | + res.body.rawBodyBufferContent.should.equal(bodyWithWhitespace); |
| 94 | + // Parsed body should have the correct values |
| 95 | + res.body.parsedBody.address.should.equal('tb1qtest'); |
| 96 | + res.body.parsedBody.amount.should.equal(100000); |
| 97 | + }); |
| 98 | + |
| 99 | + it('should preserve exact key ordering', async () => { |
| 100 | + // JSON with specific key ordering |
| 101 | + const bodyWithOrdering = '{"z_last":"last","a_first":"first","m_middle":"middle"}'; |
| 102 | + |
| 103 | + const res: Response = await agent |
| 104 | + .post('/test/rawbody') |
| 105 | + .set('Content-Type', 'application/json') |
| 106 | + .send(bodyWithOrdering); |
| 107 | + |
| 108 | + res.status.should.equal(200); |
| 109 | + // Raw buffer should preserve exact key ordering |
| 110 | + res.body.rawBodyBufferContent.should.equal(bodyWithOrdering); |
| 111 | + }); |
| 112 | + |
| 113 | + it('should handle empty body', async () => { |
| 114 | + const res: Response = await agent.post('/test/rawbody').set('Content-Type', 'application/json').send({}); |
| 115 | + |
| 116 | + res.status.should.equal(200); |
| 117 | + res.body.hasRawBodyBuffer.should.equal(true); |
| 118 | + res.body.rawBodyBufferLength.should.equal(2); // "{}" |
| 119 | + }); |
| 120 | + |
| 121 | + it('should handle nested JSON objects', async () => { |
| 122 | + const nestedBody = { |
| 123 | + level1: { |
| 124 | + level2: { |
| 125 | + level3: { |
| 126 | + value: 'deep', |
| 127 | + }, |
| 128 | + }, |
| 129 | + }, |
| 130 | + }; |
| 131 | + |
| 132 | + const res: Response = await agent.post('/test/rawbody').set('Content-Type', 'application/json').send(nestedBody); |
| 133 | + |
| 134 | + res.status.should.equal(200); |
| 135 | + res.body.hasRawBodyBuffer.should.equal(true); |
| 136 | + res.body.parsedBody.level1.level2.level3.value.should.equal('deep'); |
| 137 | + }); |
| 138 | + |
| 139 | + it('should preserve raw bytes for HMAC calculation across the request chain', async () => { |
| 140 | + const walletSendBody = |
| 141 | + '{"address":"bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh","amount":1000000,"walletPassphrase":"test"}'; |
| 142 | + |
| 143 | + const res: Response = await agent |
| 144 | + .post('/test/hmac-chain') |
| 145 | + .set('Content-Type', 'application/json') |
| 146 | + .send(walletSendBody); |
| 147 | + |
| 148 | + res.status.should.equal(200); |
| 149 | + res.body.clientBytesPreserved.should.equal(true); |
| 150 | + res.body.recommendation.should.equal('Use rawBodyBuffer for HMAC'); |
| 151 | + }); |
| 152 | + }); |
| 153 | +}); |
0 commit comments