From b2791ddfca384661f4dad80b92ee6a7f6dc15670 Mon Sep 17 00:00:00 2001 From: James Chartrand <jc.chartrand@gmail.com> Date: Wed, 15 Jan 2025 15:54:07 -0500 Subject: [PATCH] check for invalid signing suite on query param --- src/app.js | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/src/app.js b/src/app.js index eec0d1e..6a248e0 100644 --- a/src/app.js +++ b/src/app.js @@ -11,6 +11,8 @@ import SigningException from './SigningException.js' import { getUnsignedVC } from './test-fixtures/vc.js' import { TEST_TENANT_NAME } from './config.js' +const allowedSigningSuites = ['eddsa2022', 'ed25519'] + export async function build() { var app = express() @@ -44,16 +46,17 @@ export async function build() { app.post('/instance/:instanceId/credentials/sign', async (req, res, next) => { try { - var suite = req.query.suite ?? 'ed25519' + const suiteParam = req.query.suite ?? ['ed25519'] + // one or more suites may have been specified so convert a single + // suite to an array to make it easier to deal with later, i.e., always as an array + const suiteList = [].concat(suiteParam) + // check that we support all listed suites + checkSuites(suiteList) const instanceId = req.params.instanceId //the issuer instance/tenant with which to sign const unSignedVC = req.body - if (!req.body || !Object.keys(req.body).length) { - throw new SigningException( - 400, - 'A verifiable credential must be provided in the body.' - ) - } - const signedVC = await issue(unSignedVC, instanceId, suite) + // check that this is at least a json object + checkVC(unSignedVC) + const signedVC = await issue(unSignedVC, instanceId, suiteList) return res.json(signedVC) } catch (e) { // catch the async errors and pass them to the error logger and handler @@ -80,6 +83,24 @@ export async function build() { } }) + function checkVC(unsignedVC) { + if (!unsignedVC || !Object.keys(unsignedVC).length) { + throw new SigningException( + 400, + 'A verifiable credential must be provided in the body.' + ) + } + } + + function checkSuites(requestedSuites) { + if ( + !requestedSuites.every((requestedSuite) => + allowedSigningSuites.includes(requestedSuite) + ) + ) { + throw new SigningException(400, 'An invalid signing suite was specified.') + } + } // Attach the error handling middleware calls, in the order that they should run app.use(errorLogger) app.use(errorHandler)