How to access raw request body in middleware?

[ztalarick]

Hello, I am trying to implement HMAC authentication as a middleware. I need:

1. the header containing the hmac signature
2. the raw request body to check the signature against

currently I am working with something like:

export const hmacAuthMiddleware = new Middleware({
    input: z.object({
      'x-hmac-signature': z.string(),
    }),
    // input: ez.raw(),
    handler: async ({ input, request }) => {
      const { 'x-hmac-signature': signature } = input;

        if (
          !verifyHmacSignature({
            body: JSON.stringify(request.body),
            signatureHeader: signature,
            secret: secret(), // I look this up elsewhere
          })
        ) {
          throw new createHttpError.Unauthorized('Invalid HMAC signature');
        }
      return {};
    },
  });

This is incorrect because the JSON.stringify(request.body) affects the string the signature is generated against. How can I get the raw body? I am aware of using input ez.raw() as input, but this seems to require the request header to not have json content type. Any help would be appreciated! thank you

[RobinTail]

There are different parsers involved into processing the request BEFORE the request given to any handler:

express-zod-api/express-zod-api/src/server.ts

Lines 80 to 88 in 6b78d2e

	const parsers: Parsers = {
	json: [config.jsonParser || express.json()],
	raw: [config.rawParser || express.raw(), moveRaw],
	form: [config.formParser || express.urlencoded()],
	upload: config.upload
	? await createUploadParsers({ config, getLogger })
	: [],
	};
	initRouting({ app, routing, getLogger, config, parsers });

The right parser applied depending on the Endpoint::requestType, which in your case depends on the presence of ez.raw() in the input schema:

express-zod-api/express-zod-api/src/routing.ts

Line 73 in 6b78d2e

const matchingParsers = parsers?.[endpoint.requestType] || [];

By default it uses express.raw() without any extra configuration. Which by default expects you to have application/octet-stream content type of the request.

However, you can customize it, by setting rawParser config option:

express-zod-api/express-zod-api/src/config-type.ts

Lines 175 to 180 in 6b78d2e

	/**
	* @desc Custom raw parser (assigns Buffer to request body)
	* @default express.raw()
	* @link https://expressjs.com/en/4x/api.html#express.raw
	* */
	rawParser?: RequestHandler;

Set it to express.raw({ type: 'application/json' }) or even */* and then it will treat JSON requests as raw.

Check out the documentation for all express.raw() options: https://expressjs.com/en/api.html#express.raw , @ztalarick

[ztalarick]

Thank you!