Adding HMAC algorith in autorization header

beckn · Jul 5, 2024 · 7ff7328 · 7ff7328
1 parent 62fa683
commit 7ff7328
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -56,6 +56,44 @@ This is a Node.js application designed to function as an intermediary layer betw
 
 [URL for Webhook-Sandbox](https://github.com/beckn/beckn-sandbox-webhook)
 
+### HMAC Verification
+
+The protocol server allows BPP to verify messages using HMAC. When HMAC verification is enabled on BPP client protocol server sends authorization header containing HMAC, BPP can use shared key to verify the messages. To enable HMAC verification configure BPP client to `useHMACForWebhook: true` and `sharedKeyForWebhookHMAC: <YOUR_SHARED_KEY>` in `default.yaml`, `sharedKeyForWebhookHMAC`. Ensure that <YOUR_SHARED_KEY> is a 256-bit key. When useHMACForWebhook and sharedKeyForWebhookHMAC are properly configured, the protocol server will send the authorization header with the HMAC, allowing the BPP client to verify the integrity and authenticity of the messages using the shared key.
+
+
+## Enabling HMAC Verification on BPP Client
+
+To enable HMAC verification on the BPP client, follow these steps:
+
+### Configuration
+
+- Set `useHMACForWebhook` to `true` in the `default.yaml` configuration file.
+- Set `sharedKeyForWebhookHMAC` to your shared key in the `default.yaml` configuration file. Ensure that the `sharedKeyForWebhookHMAC` is exactly 256 bits in length.
+
+### HMAC Verification
+
+- When HMAC verification is enabled and the configurations are set to valid values, the protocol server will include an authorization header containing the HMAC in its messages.
+- The BPP client can then use the shared key to verify these messages.
+
+### Example Configuration in `default.yaml`
+
+```yaml
+useHMACForWebhook: true
+sharedKeyForWebhookHMAC: <YOUR_SHARED_KEY>
+```
+
+### Example HMAC
+
+```
+Message: {"context":{"domain":"retail","action":"search","bap_id":"retail.bap","bap_uri":"https://retail.bap.com","bpp_id":"retail.bpp","bpp_uri":"https://retail.bpp.com","version":"1.1.0","transaction_id":"51e0cce4-5a20-418b-9f10-797031f3b868","message_id":"829b9ab9-0f1b-4177-95a7-987ac1ed8caa"},"message":{"intent":{"item":{"descriptor":{"code":"assembly"}}}}}
+
+Shared Key: juWDOTzzK7Eyrzm6hZwQmlJkolesm8x0
+
+HMAC: HMAC-SHA-256 8d2b129d83512b53ddd6e3657748a2e22cd05de3f7c4780cdf39da564a843884
+```
+
+
+
 # Prerequisites
 
 To run the application, make sure you have the following installed:

diff --git a/src/utils/auth.utils.ts b/src/utils/auth.utils.ts
@@ -222,7 +222,7 @@ export const createBppWebhookAuthHeaderConfig = async (request: any) => {
   const header = await createBppWebhookAuthHeader(request);
   const axios_config = {
     headers: {
-      authorization: header
+      authorization: `HMAC-SHA-256 ${header}`
     }
   };
   logger.info(