feat: hmac authentication strategy and response verification#8262
Open
bitgoAaron wants to merge 3 commits intomasterfrom
Open
feat: hmac authentication strategy and response verification#8262bitgoAaron wants to merge 3 commits intomasterfrom
bitgoAaron wants to merge 3 commits intomasterfrom
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
bitgoAaron
force-pushed
the
aloe/hmacWebCryptoStrategy
branch
2 times, most recently
from
729a786 to
0cbe167
Compare
bitgoAaron
force-pushed
the
aloe/hmacWebCryptoStrategy
branch
from
0cbe167 to
49529e2
Compare
mattreid1
requested changes
Mar 12, 2026
- Updated function to be asynchronous, allowing for better handling of HMAC verification. - Introduced for default HMAC handling and added support for custom strategies. - Integrated for browser compatibility, enabling HMAC signing and verification using the Web Crypto API. - Enhanced to utilize the new HMAC strategies for request signing and response verification. - Added unit tests for the new HMAC strategies and their integration with the BitGoAPI. - Updated web demo to include a new component for WebCrypto authentication. Ticket: CE-10122
- use timingSafeEqual for comparing hmac values - enhance web demo to support both auth versions Ticket: CE-10122
bitgoAaron
force-pushed
the
aloe/hmacWebCryptoStrategy
branch
from
49529e2 to
ea9dd57
Compare
![aikido-pr-checks[bot]](https://avatars.githubusercontent.com/in/898896?s=60&v=4){kind=small}
mattreid1
previously approved these changes
Mar 13, 2026
use same calculateHMACSubject function for getting the subject to sign as regular hmac flows split up IndexedDB class to separate file & tests other small changes from review Ticket: CE-10122
OttoAllmendinger
approved these changes
Mar 17, 2026
alextse-bg
approved these changes
Mar 17, 2026
| strategyAuthenticated: boolean; | ||
| onfulfilled: ((response: superagent.Response) => any) | null | undefined; | ||
| originalThen: (onfulfilled: any, onrejected?: any) => Promise<any>; | ||
| }): Promise<any> { |
Contributor
There was a problem hiding this comment.
nitty - do we need all these any types here?
|
|
||
| req.set('Authorization', 'Bearer ' + requestProperties.tokenHash); | ||
| debug( | ||
| 'sending v2 %s request to %s with token %s', |
Contributor
There was a problem hiding this comment.
in this debug log, will it always be v2?
| password: 'mypassword', | ||
| }); | ||
| } catch { | ||
| // Authentication may fail for various reasons in this test context, |
Contributor
There was a problem hiding this comment.
uh, we want this to catch nothing?
| it('should produce the same result as the sync calculateRequestHeaders', async () => { | ||
| const params = { | ||
| url: 'https://app.bitgo.com/api/v2/wallet', | ||
| token: 'v2x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdefab', |
| it('should produce correct headers for v3 auth with a body', async () => { | ||
| const params = { | ||
| url: 'https://app.bitgo.com/api/v2/wallet/send', | ||
| token: 'v2x1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdefab', |
Contributor
There was a problem hiding this comment.
I'm sure this is some AI generated token or something? But still don't think this would be fun to commit to a public repo?
Contributor
|
@claude review this code and check if all the new functionality introduced has corresponding tests |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ticket: CE-10122