Skip to content

feat: add verification flow for v4 #8163

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
MohammedRyaan786 wants to merge 1 commit into
base: master
Choose a base branch
from
+1,313 −54
Draft

feat: add verification flow for v4 #8163

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
107 changes: 80 additions & 27 deletions modules/sdk-api/src/api.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -230,46 +230,99 @@ export function verifyResponse(
return response;
}

const verificationResponse = bitgo.verifyResponse({
url: req.url,
hmac: response.header.hmac,
statusCode: response.status,
text: response.text,
timestamp: response.header.timestamp,
token: req.authenticationToken,
method,
authVersion,
});
// --- Build version-specific params, call bitgo.verifyResponse(), collect error context ---
let verificationResult: {
isValid: boolean;
expectedHmac: string;
isInResponseValidityWindow: boolean;
verificationTime: number;
};
let hmacErrorDetails: Record<string, unknown>;
let responseTimestamp: string | number;

if (authVersion === 4) {
Copy link
Contributor

@arvind-bg arvind-bg Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we extract out v4 to a separate handler function?

const hmac = response.header['x-signature'];
const timestamp = response.header['x-request-timestamp'];
const authRequestId = response.header['x-auth-request-id'];

if (!hmac || !timestamp) {
// Server didn't sign the response. This can happen legitimately when the
debug(
'v4 response verification skipped: server response (status %d) missing HMAC headers (x-signature: %s, x-request-timestamp: %s)',
response.status,
hmac ? 'present' : 'missing',
timestamp ? 'present' : 'missing'
);
return response;
}

// Hash the raw response body bytes.
// Convert response.text to a Buffer (UTF-8) so we're hashing the actual bytes,
// not relying on Node's implicit string encoding in crypto.update().
const rawResponseBuffer = Buffer.from(response.text || '');
const bodyHashHex = bitgo.calculateBodyHash(rawResponseBuffer);

// req.v4PathWithQuery is always set by requestPatch; fallback parses req.url as a safety net.
let pathWithQuery = req.v4PathWithQuery;
if (!pathWithQuery) {
const parsedUrl = new URL(req.url);
pathWithQuery = parsedUrl.pathname + parsedUrl.search;
}

if (!verificationResponse.isValid) {
// calculate the HMAC
const receivedHmac = response.header.hmac;
const expectedHmac = verificationResponse.expectedHmac;
const signatureSubject = verificationResponse.signatureSubject;
// Log only the first 10 characters of the token to ensure the full token isn't logged.
const result = bitgo.verifyResponse({
hmac,
timestampSec: Number(timestamp),
method: req.v4Method || method,
pathWithQuery,
bodyHashHex,
authRequestId: authRequestId || req.v4AuthRequestId || '',
statusCode: response.status,
rawToken: req.authenticationToken,
Copy link
Contributor

@arvind-bg arvind-bg Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should the authVersion be passed here?

});

verificationResult = result;
responseTimestamp = timestamp;
hmacErrorDetails = { expectedHmac: result.expectedHmac, receivedHmac: hmac, preimage: result.preimage };
} else {
const result = bitgo.verifyResponse({
url: req.url,
hmac: response.header.hmac,
statusCode: response.status,
text: response.text,
timestamp: response.header.timestamp,
token: req.authenticationToken,
method,
authVersion,
});

verificationResult = result;
responseTimestamp = response.header.timestamp;
const partialBitgoToken = token ? token.substring(0, 10) : '';
const errorDetails = {
expectedHmac,
receivedHmac,
hmacInput: signatureSubject,
hmacErrorDetails = {
expectedHmac: result.expectedHmac,
receivedHmac: response.header.hmac,
hmacInput: result.signatureSubject,
requestToken: req.authenticationToken,
bitgoToken: partialBitgoToken,
};
debug('Invalid response HMAC: %O', errorDetails);
throw new ApiResponseError('invalid response HMAC, possible man-in-the-middle-attack', 511, errorDetails);
}

if (bitgo.getAuthVersion() === 3 && !verificationResponse.isInResponseValidityWindow) {
const errorDetails = {
timestamp: response.header.timestamp,
verificationTime: verificationResponse.verificationTime,
};
// --- Common validation for all auth versions ---
if (!verificationResult.isValid) {
debug('Invalid response HMAC: %O', hmacErrorDetails);
throw new ApiResponseError('invalid response HMAC, possible man-in-the-middle-attack', 511, hmacErrorDetails);
}

// v3 and v4 enforce the response validity window; v2 does not
if (authVersion >= 3 && !verificationResult.isInResponseValidityWindow) {
const errorDetails = { timestamp: responseTimestamp, verificationTime: verificationResult.verificationTime };
debug('Server response outside response validity time window: %O', errorDetails);
throw new ApiResponseError(
'server response outside response validity time window, possible man-in-the-middle-attack',
511,
errorDetails
);
}

return response;
}
Loading