imago-request-tag v1.0.3

Imago Request Tag

This is a very basic way to verify that requests are coming from an authorized source and an even more basic way to avoid replay attacks.

The sending side adds an HTTP header called X-Imago-Tag, which contains the current timestamp encrypted with a secret key.

The receiving side has the same pre-shared secret key, and it decrypts it and checks that the timestamp is valid and is not too much in the past.

On the sender side

const Tag = require('imago-request-tag');

const SHARED_SECRET_KEY = '2fa44f07d9f74d269b1dcfc8ba2a74e3';

// If using the request-promise-native package:
request({
	method: 'GET',
	uri: '/api/method',
	headers: {
		'X-Imago-Tag': Tag.create(SHARED_SECRET_KEY),
	},
});

On the receiver side

If the tag is incorrect, we will throw an exception:

const Tag = require('imago-request-tag');

const SHARED_SECRET_KEY = '2fa44f07d9f74d269b1dcfc8ba2a74e3';

app.get('/api/method', async (request, response) => {
	try {
		Tag.check(request, SHARED_SECRET_KEY);

		// the actual code here
	} catch (error) {
		response.status(200).send({ success: false });
	}
});