Sign requests

Verify a signed request using the HMAC and SHA-256 algorithms or return a 403.

The following Snippet will:

For request URLs beginning with /generate/, replace /generate/ with /, sign the resulting path with its timestamp, and return the full, signed URL in the response body.
For all other request URLs, verify the signed URL and allow the request through.

export default {
  async fetch(request) {
    const secretKey = 'your_secret_key'; // Replace with your actual secret key
    const expiration = 60; // Expiration time in seconds (how long an HMAC token should be valid for)

    const encoder = new TextEncoder();

    // Import the secret key for HMAC-SHA256 signing
    const key = await crypto.subtle.importKey(
      "raw",
      encoder.encode(secretKey),
      { name: "HMAC", hash: "SHA-256" },
      false,
      ["sign", "verify"]
    );

    const url = new URL(request.url);

    // Check if the request URL starts with /generate/
    if (url.pathname.startsWith("/generate/")) {
      // Replace /generate/ with /
      url.pathname = url.pathname.replace("/generate/", "/");

      const currentTimestamp = Math.floor(Date.now() / 1000); // Current timestamp in seconds

      // Data to authenticate: combine pathname and timestamp
      const dataToAuthenticate = `${url.pathname}${currentTimestamp}`;

      // Sign the data with HMAC-SHA256
      const signature = await crypto.subtle.sign(
        "HMAC",
        key,
        encoder.encode(dataToAuthenticate)
      );

      // Encode the timestamp and HMAC in a secure manner
      const signatureBase64 = btoa(String.fromCharCode(...new Uint8Array(signature)));
      const signedData = `${currentTimestamp}-${signatureBase64}`;
      const encodedSignedData = encodeURIComponent(signedData);

      // Create the signed URL
      const signedURL = `${url}?verify=${encodedSignedData}`;

      // Return the signed URL in the response body
      return new Response(signedURL, { status: 200 });
    }

    // For all other request URLs, verify the signed URL
    const params = new URLSearchParams(url.search);
    const verifyParam = params.get('verify');

    if (!verifyParam) {
      return new Response('Verification parameter is missing', { status: 403 });
    }

    // Decode and split the verify parameter into timestamp and HMAC
    const decodedVerifyParam = decodeURIComponent(verifyParam);
    const [timestampStr, receivedMac] = decodedVerifyParam.split("-");

    // Parse timestamp and ensure it's a valid number
    const timestamp = parseInt(timestampStr, 10);
    if (isNaN(timestamp)) {
      return new Response('Invalid timestamp', { status: 403 });
    }

    // Check if the request has expired
    const currentTimestamp = Math.floor(Date.now() / 1000);
    if (currentTimestamp > timestamp + expiration) {
      return new Response('Signed URL has expired', { status: 403 });
    }

    // Remove the verify parameter to verify the URL
    params.delete('verify');
    url.search = params.toString();

    // Construct the data to authenticate for verification
    const dataToVerify = `${url.pathname}${timestamp}`;

    // Verify the signature with HMAC-SHA256
    const isValid = await crypto.subtle.verify(
      "HMAC",
      key,
      new Uint8Array([...atob(receivedMac)].map(char => char.charCodeAt(0))),
      encoder.encode(dataToVerify)
    );

    if (!isValid) {
      return new Response('Invalid signature', { status: 403 });
    }

    // Continue processing the request if the signature is valid
    return fetch(request);
  }
}

Cloudflare Dashboard Discord Community Learning Center Support Portal