@venndr/express-embed-request-verifier
v1.0.2
Published
Express middleware for verifying Venndr app embed request signatures
Downloads
68
Readme
Embed signature verifier for Express
This middleware verifies signatures in app embed requests coming from Venndr.
Installation
npm install --save @venndr/express-embed-request-verifier
The key fetcher
This middleware requires a key fetcher – a function that receives the key version as argument and should return a Promise<crypto.KeyObject>
.
A key fetcher that satisfies basic use cases is available in the Venndr Node SDK. See @venndr/public-key-fetcher for more detailed information.
Configuration
The middleware has a configurable threshold for signature max age. The default value is 600 seconds.
To set your own limit, pass a configuration object to the middleware initialiser.
interface VerifierOptions {
maxAge?: number; // max signature age in seconds
}
Usage
import express from "express";
import { keyFetcher } from "@venndr/express-public-key-fetcher";
import { verifyEmbedRequest } from "@venndr/embed-request-verifier";
const app = express();
const embedVerifier = verifyEmbedRequest(keyFetcher);
app.get("/embed", embedVerifier, (_, r) => {
console.log("received valid embed request");
r.send("Hello world!");
});
app.listen(process.env.PORT ?? 8080);
Development mode
To skip the signature verification the UNSAFE_SKIP_EMBED_VERIFY
environment variable can be set to any non-empty value. This should only be used during development and never in production.