Skip to content

feat: hmac authentication strategy and response verification#8262

Merged
bitgoAaron merged 4 commits intomasterfrom
aloe/hmacWebCryptoStrategy
Mar 18, 2026
Merged

feat: hmac authentication strategy and response verification#8262
bitgoAaron merged 4 commits intomasterfrom
aloe/hmacWebCryptoStrategy

Conversation

@bitgoAaron
Copy link
Contributor

@bitgoAaron bitgoAaron commented Mar 7, 2026

  • Updated function to be asynchronous, allowing for better handling of HMAC verification.
  • Introduced for default HMAC handling and added support for custom strategies.
  • Integrated for browser compatibility, enabling HMAC signing and verification using the Web Crypto API.
  • Enhanced to utilize the new HMAC strategies for request signing and response verification.
  • Added unit tests for the new HMAC strategies and their integration with the BitGoAPI.
  • Updated web demo to include a new component for WebCrypto authentication.

Ticket: CE-10122

github-advanced-security[bot]
github-advanced-security bot found potential problems Mar 7, 2026
View reviewed changes
modules/sdk-api/src/bitgoAPI.ts Outdated
'sending v2 %s request to %s with token %s',
method,
url,
this._token?.substr(0, 8) ?? '(strategy-managed)'

Check warning

Code scanning / CodeQL

Log injection

Log entry depends on a [user-provided value](1).

Copilot Autofix

AI 11 days ago

In general, to fix log injection, any user-controlled value that is written to logs should be sanitized to remove characters that can break the log format (such as \r and \n) or otherwise be encoded/escaped. For plain-text logs, a simple and effective approach is to strip carriage-return and newline characters from the value before interpolation, while keeping the semantics the same for non-malicious inputs.

In this specific case, the only problematic usage is in modules/sdk-api/src/bitgoAPI.ts, where this._token?.substr(0, 8) ?? '(strategy-managed)' is interpolated into a debug() call. The best minimal fix is to compute a local safeTokenPrefix that is based on the same 8-character prefix but with any \r or \n characters removed, and then log that sanitized prefix instead of the raw substring. This does not change functional behavior (the token is not used for logic, only for display) but ensures that no unexpected newlines can be injected into the log. No new imports or external libraries are required; we can use String.prototype.replace with a simple regex.

Concretely, in requestPatch where debug('sending v2 %s request to %s with token %s', ...) is called, we will introduce a local const safeTokenPrefix = this._token ? this._token.substr(0, 8).replace(/[\r\n]/g, '') : '(strategy-managed)'; and then pass safeTokenPrefix as the third format argument to debug. This confines the change to the immediate logging context and preserves the existing logging format.

Suggested changeset 1
modules/sdk-api/src/bitgoAPI.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/modules/sdk-api/src/bitgoAPI.ts b/modules/sdk-api/src/bitgoAPI.ts
--- a/modules/sdk-api/src/bitgoAPI.ts
+++ b/modules/sdk-api/src/bitgoAPI.ts
@@ -460,12 +460,11 @@
           req.set('Auth-Timestamp', requestProperties.timestamp.toString());
 
           req.set('Authorization', 'Bearer ' + requestProperties.tokenHash);
-          debug(
-            'sending v2 %s request to %s with token %s',
-            method,
-            url,
-            this._token?.substr(0, 8) ?? '(strategy-managed)'
-          );
+          const safeTokenPrefix =
+            this._token !== undefined && this._token !== null
+              ? this._token.substr(0, 8).replace(/[\r\n]/g, '')
+              : '(strategy-managed)';
+          debug('sending v2 %s request to %s with token %s', method, url, safeTokenPrefix);
 
           req.set('HMAC', requestProperties.hmac);
         }
EOF
@@ -460,12 +460,11 @@
req.set('Auth-Timestamp', requestProperties.timestamp.toString());

req.set('Authorization', 'Bearer ' + requestProperties.tokenHash);
debug(
'sending v2 %s request to %s with token %s',
method,
url,
this._token?.substr(0, 8) ?? '(strategy-managed)'
);
const safeTokenPrefix =
this._token !== undefined && this._token !== null
? this._token.substr(0, 8).replace(/[\r\n]/g, '')
: '(strategy-managed)';
debug('sending v2 %s request to %s with token %s', method, url, safeTokenPrefix);

req.set('HMAC', requestProperties.hmac);
}
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
@bitgoAaron bitgoAaron force-pushed the aloe/hmacWebCryptoStrategy branch 2 times, most recently from 729a786 to 0cbe167 Compare March 10, 2026 00:57
@bitgoAaron bitgoAaron marked this pull request as ready for review March 10, 2026 16:01
@bitgoAaron bitgoAaron requested review from a team as code owners March 10, 2026 16:01
@bitgoAaron bitgoAaron force-pushed the aloe/hmacWebCryptoStrategy branch from 0cbe167 to 49529e2 Compare March 11, 2026 03:02
mattreid1
mattreid1 requested changes Mar 12, 2026
View reviewed changes
@bitgoAaron bitgoAaron force-pushed the aloe/hmacWebCryptoStrategy branch from 49529e2 to ea9dd57 Compare March 12, 2026 20:58
aikido-pr-checks[bot]
aikido-pr-checks bot reviewed Mar 12, 2026
View reviewed changes
aikido-pr-checks[bot]
aikido-pr-checks bot reviewed Mar 12, 2026
View reviewed changes
aikido-pr-checks[bot]
aikido-pr-checks bot reviewed Mar 12, 2026
View reviewed changes
@bitgoAaron bitgoAaron requested a review from mattreid1 March 12, 2026 21:30
mattreid1
mattreid1 previously approved these changes Mar 13, 2026
View reviewed changes
OttoAllmendinger
OttoAllmendinger reviewed Mar 16, 2026
View reviewed changes
mohammadalfaiyazbitgo
mohammadalfaiyazbitgo previously approved these changes Mar 16, 2026
View reviewed changes
Copy link
Contributor

@mohammadalfaiyazbitgo mohammadalfaiyazbitgo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

alextse-bg
alextse-bg previously approved these changes Mar 17, 2026
View reviewed changes
margueriteblair
margueriteblair reviewed Mar 17, 2026
View reviewed changes
margueriteblair
margueriteblair reviewed Mar 17, 2026
View reviewed changes
margueriteblair
margueriteblair reviewed Mar 17, 2026
View reviewed changes
margueriteblair
margueriteblair reviewed Mar 17, 2026
View reviewed changes
margueriteblair
margueriteblair reviewed Mar 17, 2026
View reviewed changes
@margueriteblair
Copy link
Contributor

margueriteblair commented Mar 17, 2026

@claude review this code and check if all the new functionality introduced has corresponding tests

@margueriteblair
Copy link
Contributor

margueriteblair commented Mar 18, 2026

@claude review and check for test coverage

mattreid1
mattreid1 previously approved these changes Mar 18, 2026
View reviewed changes
@bitgoAaron
feat: hmac authentication strategy and response verification
26308ce 
- Updated  function to be asynchronous, allowing for better handling
  of HMAC verification.
- Introduced  for default HMAC handling and added support
  for custom strategies.
- Integrated  for browser compatibility, enabling HMAC signing
  and verification using the Web Crypto API.
- Enhanced  to utilize the new HMAC strategies for request signing and response
  verification.
- Added unit tests for the new HMAC strategies and their integration with the BitGoAPI.
- Updated web demo to include a new component for WebCrypto authentication.

Ticket: CE-10122
@bitgoAaron
fix: web crypto strategy and demo
e57bd5b 
- use timingSafeEqual for comparing hmac values
- enhance web demo to support both auth versions

Ticket: CE-10122
@bitgoAaron
fix: web crypto strategy uses same hmac subject calc
76129fd 
use same calculateHMACSubject function for getting
the subject to sign as regular hmac flows
split up IndexedDB class to separate file & tests
other small changes from review

Ticket: CE-10122
@bitgoAaron bitgoAaron force-pushed the aloe/hmacWebCryptoStrategy branch from 9cc6719 to 11d5600 Compare March 18, 2026 16:32
@bitgoAaron bitgoAaron force-pushed the aloe/hmacWebCryptoStrategy branch from 11d5600 to fd4a300 Compare March 18, 2026 18:41
@bitgoAaron bitgoAaron merged commit 73b90d6 into master Mar 18, 2026
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattreid1 mattreid1 mattreid1 approved these changes

@margueriteblair margueriteblair margueriteblair approved these changes

@mohammadalfaiyazbitgo mohammadalfaiyazbitgo mohammadalfaiyazbitgo approved these changes

@kisslove-dewangan kisslove-dewangan Awaiting requested review from kisslove-dewangan kisslove-dewangan is a code owner automatically assigned from BitGo/wallet-core-india

@OttoAllmendinger OttoAllmendinger Awaiting requested review from OttoAllmendinger

@alextse-bg alextse-bg Awaiting requested review from alextse-bg

+1 more reviewer

@aikido-pr-checks aikido-pr-checks[bot] aikido-pr-checks[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@mattreid1 mattreid1

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@bitgoAaron @margueriteblair @OttoAllmendinger @mattreid1 @mohammadalfaiyazbitgo @alextse-bg