Skip to content

Instantly share code, notes, and snippets.

@asoorm

asoorm/hmac-postman-pre-request-script.js

Last active February 14, 2024 17:10
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save asoorm/637be0b463a7a313a1ea01de20ebf8c9 to your computer and use it in GitHub Desktop.
Save asoorm/637be0b463a7a313a1ea01de20ebf8c9 to your computer and use it in GitHub Desktop.
Download ZIP
Postman pre-request script to sign http requests with a HMAC shared secret
Raw
hmac-postman-pre-request-script.js
/* CHANGE THIS STUFF */
const KEY_ID = "61eaf3e25ebd3aa2f8d2958953bc5cc49e754195ac07e70c4f6d8fb6";
const HMAC_SECRET = "NWU0MzQ0ZjZmY2JiNGU4N2I1NmEyZjJlYTRlOTE0YzI=";
const SIGN_REQUEST_TARGET = true;
const SIGN_REQUEST_DATE = true;
const HEADERS_TO_SIGN = ["x-test-1", "x-test-2"];
const SIGNING_ALGORITHM = "hmac-sha512"; // supported algorithms: hmac-sha1, hmac-sha256, hmac-sha384, hmac-sha512
/* DO NOT CHANGE BELOW THIS LINE */
let signatureString = "";
let headersString = "";
let signingAlgorithm = SIGNING_ALGORITHM;
const dateHeader = new Date().toUTCString();
pm.request.headers.add({
key: "Date",
value: dateHeader,
});
/*
BUILD HEADERS STRING
*/
if (SIGN_REQUEST_TARGET) {
headersString += "(request-target) ";
}
if (SIGN_REQUEST_DATE) {
headersString += "date ";
}
HEADERS_TO_SIGN.forEach((header) => {
headersString += header.toLowerCase() + " ";
});
headersString = headersString.trimRight();
console.log("headersString", headersString);
/*
BUILD SIGNATURE STRING
*/
if (SIGN_REQUEST_TARGET) {
signatureString += `(request-target): ${pm.request.method.toLowerCase()} ${pm.request.url.getPath()}\n`;
}
if (SIGN_REQUEST_DATE) {
signatureString += `date: ${dateHeader}\n`;
}
HEADERS_TO_SIGN.forEach((header) => signatureString += header + ": " + pm.request.headers.get(header) + "\n");
signatureString = signatureString.trimRight();
console.log("signatureString:", signatureString);
let signature = "";
switch(signingAlgorithm) {
case "hmac-sha1":
signature = encodeURIComponent(CryptoJS.HmacSHA1(signatureString, HMAC_SECRET).toString(CryptoJS.enc.Base64));
break;
case "hmac-sha256":
signature = encodeURIComponent(CryptoJS.HmacSHA256(signatureString, HMAC_SECRET).toString(CryptoJS.enc.Base64));
break;
case "hmac-sha384":
signature = encodeURIComponent(CryptoJS.HmacSHA384(signatureString, HMAC_SECRET).toString(CryptoJS.enc.Base64));
break;
case "hmac-sha512":
signature = encodeURIComponent(CryptoJS.HmacSHA512(signatureString, HMAC_SECRET).toString(CryptoJS.enc.Base64));
break;
default:
console.log("signing algorithm unknown, defaulting to `hmac-sha1`");
signature = encodeURIComponent(CryptoJS.HmacSHA1(signatureString, HMAC_SECRET).toString(CryptoJS.enc.Base64));
signingAlgorithm = 'hmac-sha1';
}
console.log("signature", signature);
pm.request.headers.add({
key: "Authorization",
value: `Signature keyId="${KEY_ID}",algorithm="${signingAlgorithm}",headers="${headersString}",signature="${signature}"`,
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment