From 7ff7328ce324bb8decfb4c27106f92730a46d667 Mon Sep 17 00:00:00 2001
From: Abhishek Y <abhisheky@192.168.1.2>
Date: Thu, 4 Jul 2024 17:32:18 +0530
Subject: [PATCH] Adding HMAC algorith in autorization header

---
 README.md               | 38 ++++++++++++++++++++++++++++++++++++++
 src/utils/auth.utils.ts |  2 +-
 2 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 67e9170..c1babc8 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,44 @@ This is a Node.js application designed to function as an intermediary layer betw
 
 [URL for Webhook-Sandbox](https://github.com/beckn/beckn-sandbox-webhook)
 
+### HMAC Verification
+
+The protocol server allows BPP to verify messages using HMAC. When HMAC verification is enabled on BPP client protocol server sends authorization header containing HMAC, BPP can use shared key to verify the messages. To enable HMAC verification configure BPP client to `useHMACForWebhook: true` and `sharedKeyForWebhookHMAC: <YOUR_SHARED_KEY>` in `default.yaml`, `sharedKeyForWebhookHMAC`. Ensure that <YOUR_SHARED_KEY> is a 256-bit key. When useHMACForWebhook and sharedKeyForWebhookHMAC are properly configured, the protocol server will send the authorization header with the HMAC, allowing the BPP client to verify the integrity and authenticity of the messages using the shared key.
+
+
+## Enabling HMAC Verification on BPP Client
+
+To enable HMAC verification on the BPP client, follow these steps:
+
+### Configuration
+
+- Set `useHMACForWebhook` to `true` in the `default.yaml` configuration file.
+- Set `sharedKeyForWebhookHMAC` to your shared key in the `default.yaml` configuration file. Ensure that the `sharedKeyForWebhookHMAC` is exactly 256 bits in length.
+
+### HMAC Verification
+
+- When HMAC verification is enabled and the configurations are set to valid values, the protocol server will include an authorization header containing the HMAC in its messages.
+- The BPP client can then use the shared key to verify these messages.
+
+### Example Configuration in `default.yaml`
+
+```yaml
+useHMACForWebhook: true
+sharedKeyForWebhookHMAC: <YOUR_SHARED_KEY>
+```
+
+### Example HMAC
+
+```
+Message: {"context":{"domain":"retail","action":"search","bap_id":"retail.bap","bap_uri":"https://retail.bap.com","bpp_id":"retail.bpp","bpp_uri":"https://retail.bpp.com","version":"1.1.0","transaction_id":"51e0cce4-5a20-418b-9f10-797031f3b868","message_id":"829b9ab9-0f1b-4177-95a7-987ac1ed8caa"},"message":{"intent":{"item":{"descriptor":{"code":"assembly"}}}}}
+
+Shared Key: juWDOTzzK7Eyrzm6hZwQmlJkolesm8x0
+
+HMAC: HMAC-SHA-256 8d2b129d83512b53ddd6e3657748a2e22cd05de3f7c4780cdf39da564a843884
+```
+
+
+
 # Prerequisites
 
 To run the application, make sure you have the following installed:
diff --git a/src/utils/auth.utils.ts b/src/utils/auth.utils.ts
index 28c4040..c0eb5b8 100644
--- a/src/utils/auth.utils.ts
+++ b/src/utils/auth.utils.ts
@@ -222,7 +222,7 @@ export const createBppWebhookAuthHeaderConfig = async (request: any) => {
   const header = await createBppWebhookAuthHeader(request);
   const axios_config = {
     headers: {
-      authorization: header
+      authorization: `HMAC-SHA-256 ${header}`
     }
   };
   logger.info(