diff --git a/pomelo/api/transactions/authorizations.ts b/pomelo/api/transactions/authorizations.ts index 0d8e6304..98ba3aac 100644 --- a/pomelo/api/transactions/authorizations.ts +++ b/pomelo/api/transactions/authorizations.ts @@ -25,7 +25,7 @@ export default async function authorizations(request: VercelRequest, response: V return response.status(403).end("forbidden"); } - const parsed = authorizationRequest.safeParse(raw); + const parsed = authorizationRequest.safeParse(JSON.parse(raw)); if (parsed.success) { const tx = await processTransaction(parsed.data); diff --git a/pomelo/utils/buffer.ts b/pomelo/utils/buffer.ts index 0c3e7252..beebd636 100644 --- a/pomelo/utils/buffer.ts +++ b/pomelo/utils/buffer.ts @@ -1,9 +1,11 @@ import type { Readable } from "node:stream"; -export default async function buffer(readable: Readable) { - const chunks = []; - for await (const chunk of readable) { - chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk); - } - return Buffer.concat(chunks); +export default function buffer(request: Readable): Promise { + return new Promise((r) => { + const chunks: Buffer[] = []; + request.on("data", (chunk: Buffer | string) => chunks.push(Buffer.from(chunk))); + request.on("end", () => { + r(Buffer.concat(chunks)); + }); + }); } diff --git a/pomelo/utils/verify.ts b/pomelo/utils/verify.ts index ce9ec9c1..e40fa5a7 100644 --- a/pomelo/utils/verify.ts +++ b/pomelo/utils/verify.ts @@ -15,11 +15,11 @@ export function verifySignature(request: VercelRequest, body: string) { let signature = request.headers["x-signature"]; const apiKey = request.headers["x-api-key"]; - if (!valid(endpoint) || !valid(timestamp) || !valid(apiKey) || Array.isArray(apiKey) || !valid(signature)) { + if (!valid(endpoint) || !valid(timestamp) || !valid(apiKey) || !valid(signature)) { return false; } - if (!POMELO_API_KEY) return false; + if (apiKey !== POMELO_API_KEY || !POMELO_API_SECRET) return false; if (signature.startsWith("hmac-sha256")) { signature = signature.replace("hmac-sha256 ", ""); @@ -28,7 +28,7 @@ export function verifySignature(request: VercelRequest, body: string) { } const hmac = crypto - .createHmac("sha256", Buffer.from(POMELO_API_KEY, "base64")) + .createHmac("sha256", Buffer.from(POMELO_API_SECRET, "base64")) .update(timestamp) .update(endpoint) .update(body); @@ -47,11 +47,11 @@ export function signResponse(request: VercelRequest, response: VercelResponse, t return response.status(400).end("bad request"); } - if (!POMELO_API_KEY) return response.status(500).end("internal server error"); + if (apiKey !== POMELO_API_KEY || !POMELO_API_SECRET) return response.status(500).end("internal server error"); const timestamp = Math.floor(Date.now() / 1000).toString(); - const hmac = crypto.createHmac("sha256", Buffer.from(POMELO_API_KEY, "base64")).update(timestamp).update(endpoint); + const hmac = crypto.createHmac("sha256", Buffer.from(POMELO_API_SECRET, "base64")).update(timestamp).update(endpoint); if (text) hmac.update(text); const hash = hmac.digest("base64");