Andi Giga Andi Giga - 19 days ago 5x
Node.js Question

Node Hmac Authentication

My understanding of the authentication process. The host creates a

and a
public api key
. The client is crypting the payload with the help of the secret, this is the signature. Then sends its public key, payload, signature to the host.

Example client

The host checks if the public key is allowed to do an operation and gets the secret according to the clients public key. With the help of the secret the host decrypts the signature and compares it to the payload.


  • Is the above process described correctly?

  • How to decrypt the signature and compare it to the payload?

  • Or am I supposed to crypt it in the same way as the client dos and compare it then?

  • What exactly do the two steps
    Node Docs


authenticate: (self)->
payload = 'AUTH' + moment()
signature = crypto.createHmac('sha384', WEBSOCKET_SECRET)

data = {
event: 'auth',
authSig: signature,
authPayload: payload
self.send self, data


hmac = crypto.createHmac('sha384', WEBSOCKET_SECRET)
hmac.on 'readable', () ->
data =
if (data)
console.log data, data.toString('utf-8')

# hmac.write(authPayload)

Current Server Side Solution

authenticate: (authPublicKey, authSignature, authPayload)->
signature = crypto.createHmac('sha384', WEBSOCKET_SECRET)

return authSignature == signature


HMAC isn't use to crypt / decrypt, is just use for authentication and check of data integrity.

Client send his payload, his pk, and the hmac of his payload with his secret key. Server retrieve user with his pk, recompute the hmac with the retrieved sk and then check if the computed hmac is equal to the retrieved hmac.

Client has a public key, and secret key :

var str        = payload_string;
var public_key = pk;
var secret_key = sk;

var hmac = crypto.createHmac('sha384', sk).update(str).digest('hex');{uri:..., json:{hmac:hmac, public_key:public_key, payload: str}, function(err, response, body){

On server :

exports.... = function(req, res)
   var hmac = req.body.hmac;
   var pk = req.body.public_key;
   var payload  = req.body.payload;

   // retrieve authorized user
   User.findOne({pk:pk},function(err, user){
      if(err || !user){
        return res.status(403).json({error:"Invalid user"});

         // recompute hmac
         var compute_hmac= crypto.createHmac('sha384','hex');

         // check hmac
         if(compute_hmac != hmac){
           return res.status(403).json({error:"Security check failed"});
            // do stg
            return res.status(200).json({success:"ok"});