This project demonstrates how to generate a signature and encrypt user credentials in a web application called Hapi Trade.
When attempting to make a request, the first validation of the email includes a signature and a timestamp:
Upon exploring the code files, we look for functions that reference what is sent in the request. We find several references related to obtaining the signature and the timestamp:
We also notice a reference to token generation. Let's check what this function contains:
Searching for the function to generate the signature, we come across a class called CryptoUtility, which has two static methods: encrypt and generateSignature. These methods utilize forge, indicating the use of node-forge.
Now that we have identified the necessary functions for generating the signature, let's examine their implementation and the parameters they require.
We set some breakpoints where these functions are located. When we input the email, it leads us to the getTimestamp function, which returns a value:
Here, we can see how the variable Ue is set, which is used in the header timestamp.
Continuing forward, we reach the function responsible for obtaining the signature:
It's important to note that getSignature specifically requires two parameters: Ee and $e.
- Ee refers to a GraphQL query.
Ee transforms the query, but it only utilizes part of it, making replication somewhat unnecessary.
As we continue, we encounter a function that parses a specific string. Let's examine what it does.
The function parse$4 analyzes a string formatted as key-value pairs, decodes the keys and values, and returns an object containing these pairs. Since the string is simply a static cookie, there's no need to replicate this function.
After processing, we see that the function returns a JSON object with several values:
We can note that the following function calls the value sessionKey:
This value is now set in the variable Oe.
As we proceed, we observe a variable called Ne that concatenates other variables to create a final string:
The components of this string include:
- Timestamp
- Transformed Query
- Platform Name
- Platform App Version
The values for 'Platform Name' and 'Platform App Version' can be found in the defined requests.
Finally, we see the generation of the signature using the aforementioned values:
Completing the function yields the generated signature as a result:
