Merge pull request #216 from PerimeterX/dev

Dev

Author: ori-gold-px

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [3.2.1] - 2022-01-31
+
+### Added
+
+- Support for dynamic cookie signing with IP (requires PXHD)
+
 ## [3.2.0] - 2022-01-24
 
 ### Added

README.md

@@ -6,7 +6,7 @@
 [PerimeterX](http://www.perimeterx.com) Shared base for NodeJS enforcers
 =============================================================
 
-> Latest stable version: [v3.2.0](https://www.npmjs.com/package/perimeterx-node-core)
+> Latest stable version: [v3.2.1](https://www.npmjs.com/package/perimeterx-node-core)
 
 This is a shared base implementation for PerimeterX Express enforcer and future NodeJS enforcers. For a fully functioning implementation example, see the [Node-Express enforcer](https://github.com/PerimeterX/perimeterx-node-express/) implementation.
 

lib/cookie/cookieV3.js

@@ -32,7 +32,10 @@ class CookieV3 extends Payload {
     }
 
     isSecure() {
-        const hmacStr = this.pxCookie + this.ctx.userAgent;
+        let hmacStr = this.pxCookie;
+        if (this.ctx.signedFields) {
+            hmacStr += this.ctx.signedFields.join('');
+        }
         return this.isHmacValid(hmacStr, this.getHmac());
     }
 }

lib/cookie/tokenV3.js

@@ -32,7 +32,11 @@ class TokenV3 extends Payload {
     }
 
     isSecure() {
-        return this.isHmacValid(this.pxCookie, this.getHmac());
+        let hmacStr = this.pxCookie;
+        if (this.ctx.signedFields) {
+            hmacStr += this.ctx.signedFields.join('');
+        }
+        return this.isHmacValid(hmacStr, this.getHmac());
     }
 }
 

lib/pxcontext.js

@@ -29,8 +29,10 @@ class PxContext {
         this.shouldBypassMonitor = config.BYPASS_MONITOR_HEADER && req.headers[config.BYPASS_MONITOR_HEADER] === '1';
         this.cookieOrigin = CookieOrigin.COOKIE;
         this.additionalFields = additionalFields || {};
+        this.signedFields = [this.userAgent];
         const mobileHeader = this.headers[mobileSdkHeader];
         if (mobileHeader !== undefined) {
+            this.signedFields = null;
             this.cookieOrigin = CookieOrigin.HEADER;
             config.logger.debug('Mobile SDK token detected');
             this.originalToken = this.headers[mobileSdkOriginalTokenHeader];

lib/pxcookie.js

@@ -62,6 +62,7 @@ function evalCookie(ctx, config) {
         ctx.uuid = cookie.getUuid();
         ctx.hmac = cookie.getHmac();
         ctx.blockAction = cookie.getBlockAction();
+        ctx.signedFields = getSignedFields(ctx);
 
         if (cookie.isExpired()) {
             config.logger.debug(`Cookie TTL is expired, value: ${JSON.stringify(cookie.decodedCookie)}, age: ${Date.now() - cookie.getTime()}`);
@@ -121,6 +122,34 @@ function pxCookieFactory(ctx, config) {
     }
 }
 
+function getSignedFields(pxCtx) {
+    const { decodedCookie } = pxCtx;
+    if (typeof decodedCookie.x !== 'string') {
+        return pxCtx.signedFields;
+    }
+
+    const signedFields = [];
+    for (const char of decodedCookie.x) {
+        signedFields.push(convertCharToField(char, pxCtx));
+    }
+    return signedFields;
+}
+
+function convertCharToField(char, pxCtx) {
+    let field;
+    switch (char) {
+        case 'u':
+            field = pxCtx.userAgent;
+            break;
+        case 's':
+            field = pxCtx.ip;
+            break;
+        default:
+            break;
+    }
+    return field ? field : '';
+}
+
 function getCookieVersion(ctx) {
     return ctx.cookies['_px3'] ? 'V3' : 'V1';
 }

package.json

@@ -1,6 +1,6 @@
 {
     "name": "perimeterx-node-core",
-    "version": "3.2.0",
+    "version": "3.2.1",
     "description": "PerimeterX NodeJS shared core for various applications to monitor and block traffic according to PerimeterX risk score",
     "main": "index.js",
     "scripts": {