Closed adampatarino closed 6 years ago
Hi Adam,
You are right about that this is an authentication library and the mentioned error message is misleading. However the escher signature can be calculated only on strings or buffers, so I'm still thinking that we need to enforce the verifiable request body type. Maybe we can throw a "The request body should be only string or buffer".
The signature validation will only pass if the tested request body is exactly the same as the signed request body. So if we try to convert the parsed body back to string (e.g.: JSON.stringify
) and the result is not exactly the same with the original request body (e.g.: the original request contained some additional spaces which didn't break the JSON) the validation will fail.
If you are using Koa, I suggest the koa-escher-auth middleware.
All the best, Istvan
@szeist Ok I didn't realize escher was using the body content as part of the authentication method. I've built a workaround in my express midleware to JSON.parse after escher has validated the connection.
Thanks for the added detail!
Escher is authentication framework, so it shouldn't make assumptions on the data type of the request body. This is especially clear when using alongside other request body parsing middleware in frameworks like express or koa.
Example:
This throws an error
However, the body is present, in the form of an object:
This pull request changes the type check of req.body from a strict String or Buffer to a simple exists check: