'use strict';
const express = require('express');
const router = express.Router();
const crypto = require('crypto');
function sha256(data) {
return crypto.createHash('sha256').update(data).digest('base64');
}
function validateWSSE(req, res, next) {
const wsseHeader = req.headers['x-wsse'];
if (!wsseHeader) {
return unauthorized(res, 'WSSE header is missing');
}
const regex = /UsernameToken Username="(.+?)", PasswordDigest="(.+?)", (?:Nonce|nonce)="(.+?)", Created="(.+?)"/;
const matches = wsseHeader.match(regex);
if (!matches) {
return unauthorized(res, 'Invalid WSSE header format');
}
const [_, username, passwordDigest, nonce, created] = matches;
const expectedPassword = 'bruno'; // Ideally store in a config or env variable
const expectedDigest = sha256(nonce + created + expectedPassword);
if (passwordDigest !== expectedDigest) {
return unauthorized(res, 'Invalid credentials');
}
next();
}
// Helper to respond with an unauthorized SOAP fault
function unauthorized(res, message) {
const faultResponse = `
soapenv:Client
${message}
`;
res.status(401).set('Content-Type', 'text/xml');
res.send(faultResponse);
}
const responses = {
success: `
Success
`
};
router.post('/protected', validateWSSE, (req, res) => {
res.set('Content-Type', 'text/xml');
res.send(responses.success);
});
module.exports = router;