Giter VIP home page Giter VIP logo

node-tupas's Introduction

Node-tupas

Build Status

Configurable Node.js module for TUPAS identification. Includes test configurations for Nordea, DanskeBank, Handelsbanken, OP, Aktia, Ålandsbanken, S-Pankki, Säästöpankki and POP Pankki.

Currently requires Express.

About

Reaktor

Made at Reaktor.

Apply for juicy positions at reaktor.fi/careers.

Install

npm install tupas

Testing

Run tests with grunt.

Usage and configuration

Basic usage (using default configurations)

var generalOptions = {
  appHandler: app, // an Express application
  hostUrl: 'http://domain.here.com:port[/path]', // required for return URLs, and binding to optional /path
};

var tupas = require('tupas').create(generalOptions);

Change configurations for existing banks or add new ones

var bankOptions = [
  {
    id: 'nordea',
    imgPath: '/path/to/my/image.png',
    vendorId: 'production id',
    checksumKey: 'production key'
  },
  {
    id: 'my-new-bank',
    authUrl: "https://my.banks.url.com/tupas",
    version: "0002",
    keyVersion: "0001",
    idType: "01",
    imgPath: "/path/to/my/image.png",
    number: "420",
    vendorId: "xxxxxxx",
    checksumKey: "xxxxxxx"
  }
];

var tupas = require('tupas').create(generalOptions, bankOptions);

Options for banks:

  • id - identifier for the bank (always use when configuring, see config.json for built-in options)
  • authUrl - url for the tupas authentication service
  • version - A01Y_VERS
  • keyVersion - A01Y_KEYVERS
  • idType - A01Y_IDTYPE
  • imgPath - path for the image used for the HTML form
  • number - bank number (e.g. 800 for DanskeBank)
  • vendorId - A01Y_RCVID
  • checksumKey - vendor specific key used in computing the MAC

Create TUPAS authentication "buttons" for configured banks

var requestId = "12345678987654321234"; // used as A01Y_STAMP
var buttonHtml = tupas.tupasButton('nordea', 'FI', requestId);

...or if you just want the request parameters without generating any HTML:

var params = tupas.buildRequestParams('nordea', 'FI', requestId);

Get a listing of all configured banks (IDs)

var banks = tupas.banks
// => ['danskebank', 'handelsbanken', 'nordea',
//     'op', 'aktia', 'alandsbanken', 'spankki',
//     'saastopankki', 'poppankki', 'my-new-bank']

Response handling

The module binds paths /tupas/ok (GET and POST), /tupas/cancel (only GET) and /tupas/reject (only GET) to the given Express app for use as return urls.

Response handling is event based.

tupas.on('success', function (request, response) {
  // Successful tupas authentication. Get auth data from request.query.
});

tupas.on('mac-check-failed', function (request, response) {
  // Successful tupas authentication but the message was faulty.
});

tupas.on('cancel', function (request, response) {
  // User cancelled authentication.
});

tupas.on('reject', function (request, response) {
  // Authentication attempt was rejected by the bank.
});

Sample application

See sample/app.js for a simple usage example. Run the sample app locally with node sample/start-sample.js.

node-tupas's People

Contributors

auramo avatar dolmio avatar lateks avatar laurilehmijoki avatar lehtu avatar panuhorsmalahti avatar raamu avatar rjoonas avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

panuhorsmalahti heintsi devgeniem tiltti harriha auramo pekkis ensmo lehtu rohullah-ayoub benjaminhr laurilehmijoki frelseren eetulatja godlike3d svolotin pauli-oksanen-mehilainen

node-tupas's Issues

Q: Merging a fork which makes this package more generic?

Hi,

Firstly, thanks for open-sourcing this package!

I ended up needing TUPAS functionality in a single-page app built on top of hapi, and instead of rolling my own implementation, decided to modify and use this package. This required a small amount of changes (+ did some additional fixes), a high-level summary:

  • Remove express dependency from the core
  • Allow creating an instance without an appHandler (to be able to use the internals also on client-side without providing dummy appHandler implementation)
  • Cleaned up the form (no JS needed for submission, no CSS in style attribute, more semantic HTML)
  • Validating (some of the) function arguments (with tests)
  • Add a hapi plugin sample

Breaking changes:

  • express not exposing the static img directory by default anymore, so this needs to be done in the host application
  • Requires hostUrl to use https (this is probably the case anyway, though)

Some further considerations:

  • This package doesn't state the targeted supported node version nor the targeted supported browsers. Thus worked based on the assumption that these targets are node >0.10 and browsers starting from ancient IE6, although there's not much to break regarding these.
  • The hapi plugin uses some ES6 features and thus works only on node >4.x. This is, however, the setup for the latest hapi itself, too, so not sure if this is a problem. The main annoyance due to this is seeing warnings during npm install (when developing this package, not when using this, hapi dep is a dev-dep).

Full diff available here master...harriha:master

I understand that this package, as it is now, is a quite simple plug'n'play solution for a traditional web site built on top of express. Nevertheless, would you be interested in merging these changes to enable a wider audience for this package? I'd be happy to open one or several PRs to get those changes in, whatever you'd prefer.

Insecure example requestId

http://www.finanssiala.fi/maksujenvalitys/dokumentit/Tupas-varmennepalvelu_v23c.pdf
"Kenttä 5 Palveluntarjoajan tunnistuspyynnölle antama yksilöivä tunnus. Tunnuksena voi olla viite, asiakasnumero tai yhdistelmä päivämäärästä, kellonajasta ja juoksevasta tunnuksesta sekä viitteestä."

If using the last digits "123456" as in sample/app.js results in a problem where two or more authentications occurring within the same second cannot be distinguished. Depending on the implementation this can lead to the application using wrong identity.

As such I think the example is a bit dangerous. It should rather use current time microseconds or possibly a globally running counter % 1000000.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.