Hướng dẫn verify hmac sha256 nodejs

I can successfully create an Hmac via NodeJS using the following code: (slightly altered example from : https://nodejs.org/api/crypto.html#cryptocreatehmacalgorithm-key-options)

Crypto.createHmac('sha256', Crypto.randomBytes(16))
   .update('I love cupcakes')
   .digest('hex');

That results in a value like the following (hex-based string Hmac signature):

fb2937ca821264812d511d68ae06a643915931375633173ba64af9425f2ffd53

How do I use that signature to verify that the data was not altered? (using NodeJS, of course).

My Assumption

I'm assuming there is a method call where you supply the data and the signature and you get a boolean that tells you if the data was altered or not -- or something similar.

Another Solution?

Oh, wait, as I was writing that I started thinking...

Do I need to store the original random bytes I generated (Crypto.randomBytes(16)) and pass them to the receiver so they can just generate the HMac again and verify that the result is the same (fb2937ca821264812d511d68ae06a643915931375633173ba64af9425f2ffd53)?

If that is true that would be odd, because the parameter for Crypto.randomBytes(16) is named secret (in the official example)*. Seems like that needs to be kept secret??

Please let me know if there is a way to verify the signature on the receiving side & how I do that.

Official Documentation : A Bit Confusing

Here's the function as it is defined in the official docs: crypto.createHmac(algorithm, key[, options])

In the function definition, you can see the second param is named key.

However, in the example they refer to it as secret

const secret = 'abcdefg';
const hash = crypto.createHmac('sha256', secret)
               .update('I love cupcakes')
               .digest('hex');
console.log(hash);

1.3.4 • Public • Published 6 months ago

• Readme
• Explore BETA
• 0 Dependencies
• 1 Dependents
• 6 Versions

verify-hmac-sha

Simple package to verify HMAC with SHA-256 signature. It is just using the native crypto Node.js module like you see in the official doc. I wrap them all up so that you can do this with fewer lines of code.

How to use

At most of the time you will just need to use the verify() method which returns a true/false

const verifyHmac256 = require('verify-hmac-sha')
const secret = 'test-secret'
const payload = JSON.stringify({ example: 123 })
const signature = '0076b0ee1c6ea46ec31c8076b40447097497ab311866dd207fa7708e7a2bcc43'
console.log(
  // do verifyHmac256.encodeInBase64.verify in case of Base64 digest
  // verifyHmac256.encodeIn('base64') also works. Just pass in the encoding you prefer
  // I believe in most cases you will use either encodeInHex or encodeInBase64
  verifyHmac256.encodeInHex.verify({
    signature,
    secret,
    payload
  })
) // true

1.3.4 • Public • Published 6 months ago

• Readme
• Explore BETA
• 0 Dependencies
• 1 Dependents
• 6 Versions

const verifyHmac256 = require('verify-hmac-sha')
const secret = 'test-secret'
const payload = JSON.stringify({ example: 123 })
const signature = '0076b0ee1c6ea46ec31c8076b40447097497ab311866dd207fa7708e7a2bcc43'
console.log(
  // do verifyHmac256.encodeInBase64.verify in case of Base64 digest
  // verifyHmac256.encodeIn('base64') also works. Just pass in the encoding you prefer
  // I believe in most cases you will use either encodeInHex or encodeInBase64
  verifyHmac256.encodeInHex.verify({
    signature,
    secret,
    payload
  })
) // true