index.js
1.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
var badArgumentsError = new Error('hpkp must be called with a maxAge and at least two SHA-256s (one actually used and another kept as a backup).')
module.exports = function hpkp (passedOptions) {
var options = parseOptions(passedOptions)
var headerKey = getHeaderKey(options)
var headerValue = getHeaderValue(options)
return function hpkp (req, res, next) {
var setHeader = true
var setIf = options.setIf
if (setIf) {
setHeader = setIf(req, res)
}
if (setHeader) {
res.setHeader(headerKey, headerValue)
}
next()
}
}
function parseOptions (options) {
if (!options) { throw badArgumentsError }
if (options.maxage && options.maxAge) { throw badArgumentsError }
var maxAge = options.maxAge
var sha256s = options.sha256s
var setIf = options.setIf
if (!maxAge || maxAge <= 0) { throw badArgumentsError }
if (!sha256s || sha256s.length < 2) { throw badArgumentsError }
if (setIf && (typeof setIf !== 'function')) {
throw new TypeError('setIf must be a function.')
}
if (options.reportOnly && !options.reportUri) { throw badArgumentsError }
return {
maxAge: maxAge,
sha256s: sha256s,
includeSubDomains: options.includeSubDomains || options.includeSubdomains,
reportUri: options.reportUri,
reportOnly: options.reportOnly,
setIf: setIf
}
}
function getHeaderKey (options) {
var header = 'Public-Key-Pins'
if (options.reportOnly) {
header += '-Report-Only'
}
return header
}
function getHeaderValue (options) {
var result = options.sha256s.map(function (sha) {
return 'pin-sha256="' + sha + '"'
})
result.push('max-age=' + Math.round(options.maxAge))
if (options.includeSubDomains) {
result.push('includeSubDomains')
}
if (options.reportUri) {
result.push('report-uri="' + options.reportUri + '"')
}
return result.join('; ')
}