search

superfaceai / one-sdk-js

1️⃣ One Node.js SDK for all the APIs you want to integrate with
https://superface.ai
MIT License
46 stars 3 forks source link

[Feature request] HTTP request signing not supported #136

Open kravchenkoa opened 2 years ago

kravchenkoa commented 2 years ago

Some API endpoints have secuirty from request signing e.g. wallet information on binance - https://api.binance.com/sapi/v1/capital/config/getall

Information about signed endpoint security: https://binance-docs.github.io/apidocs/spot/en/#signed-trade-user_data-and-margin-endpoint-security

Expected Behavior

Request signing should be supported

Current Behavior

Request signing is not supported

Possible Solution

Implement request signing and other common security mechanisms

jnv commented 2 years ago

Binance uses HMAC SHA256 passed in query string or request body. They also require timestamp and recvWindow, but those can be handled by map.

Another provider requiring requests signing, as mentioned by @freaz, is AWS.

freaz commented 2 years ago

@jnv AWS request signing is different, this is quiet simple payload signiture, which could be done in map (if stdlib with crypto would be available). compared to https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html

Unfortunately neither is them is really standardized.

jnv commented 2 years ago

I see. Personally I would prefer if requests signing were, in general, handled as a security scheme, but I am not sure whether it is possible to generalize this across many providers. But exposing relevant crypto functions in map would cover both Binance and AWS needs - or not?

jnv commented 2 years ago

Another case is with 2Checkout API. In this case, though, the authentication could be handled inside the map, since it doesn't work with the payload:

X-Avangate-Authentication: code="{VENDOR_CODE}" date="{REQUEST_DATE_TIME}" hash="{HASH}"

  • VENDOR_CODE: Your unique 2Checkout supplied merchant code.
  • REQUEST_DATE_TIME: The UTC date time of the request. Format: YYYY-MM-DD HH:MM:SS. You must provide the time of the request in the GMT timezone.
  • HASH: The hashmac digest with an md5 hashing algorithm of the following: LEN(VENDOR_CODE) + VENDOR_CODE + LEN(REQUEST_DATE_TIME) + REQUEST_DATE_TIME. Use the secret key associated with your account for the hashing.

So what we are missing in map for this is MD5 HMAC digest. Moreover, getting the current datetime in this format will be a PITA, but it can be done with some ugly string manipulation.