Merge pull request #214 from PerimeterX/feature/sign-cookie-with-ip

Support for sign cookie based on instructions

Author: ori-gold-px

lib/cookie/cookieV3.js

@@ -32,7 +32,10 @@ class CookieV3 extends Payload {
     }
 
     isSecure() {
-        const hmacStr = this.pxCookie + this.ctx.userAgent;
+        let hmacStr = this.pxCookie;
+        if (this.ctx.signedFields) {
+            hmacStr += this.ctx.signedFields.join('');
+        }
         return this.isHmacValid(hmacStr, this.getHmac());
     }
 }

lib/cookie/tokenV3.js

@@ -32,7 +32,11 @@ class TokenV3 extends Payload {
     }
 
     isSecure() {
-        return this.isHmacValid(this.pxCookie, this.getHmac());
+        let hmacStr = this.pxCookie;
+        if (this.ctx.signedFields) {
+            hmacStr += this.ctx.signedFields.join('');
+        }
+        return this.isHmacValid(hmacStr, this.getHmac());
     }
 }
 

lib/pxcontext.js

@@ -29,8 +29,10 @@ class PxContext {
         this.shouldBypassMonitor = config.BYPASS_MONITOR_HEADER && req.headers[config.BYPASS_MONITOR_HEADER] === '1';
         this.cookieOrigin = CookieOrigin.COOKIE;
         this.additionalFields = additionalFields || {};
+        this.signedFields = [this.userAgent];
         const mobileHeader = this.headers[mobileSdkHeader];
         if (mobileHeader !== undefined) {
+            this.signedFields = null;
             this.cookieOrigin = CookieOrigin.HEADER;
             config.logger.debug('Mobile SDK token detected');
             this.originalToken = this.headers[mobileSdkOriginalTokenHeader];

lib/pxcookie.js

@@ -62,6 +62,7 @@ function evalCookie(ctx, config) {
         ctx.uuid = cookie.getUuid();
         ctx.hmac = cookie.getHmac();
         ctx.blockAction = cookie.getBlockAction();
+        ctx.signedFields = getSignedFields(ctx);
 
         if (cookie.isExpired()) {
             config.logger.debug(`Cookie TTL is expired, value: ${JSON.stringify(cookie.decodedCookie)}, age: ${Date.now() - cookie.getTime()}`);
@@ -121,6 +122,34 @@ function pxCookieFactory(ctx, config) {
     }
 }
 
+function getSignedFields(pxCtx) {
+    const { decodedCookie } = pxCtx;
+    if (typeof decodedCookie.x !== 'string') {
+        return pxCtx.signedFields;
+    }
+
+    const signedFields = [];
+    for (const char of decodedCookie.x) {
+        signedFields.push(convertCharToField(char, pxCtx));
+    }
+    return signedFields;
+}
+
+function convertCharToField(char, pxCtx) {
+    let field;
+    switch (char) {
+        case 'u':
+            field = pxCtx.userAgent;
+            break;
+        case 's':
+            field = pxCtx.ip;
+            break;
+        default:
+            break;
+    }
+    return field ? field : '';
+}
+
 function getCookieVersion(ctx) {
     return ctx.cookies['_px3'] ? 'V3' : 'V1';
 }