WSSE requests are generating too long digests #6482
Description
I have checked the following:
- I have searched existing issues and found nothing related to my issue.
This bug is:
- making Bruno unusable for me
- slowing me down but I'm able to continue working
- annoying
- this feature was working in a previous version but is broken in the current release.
Bruno version
2.15.1
Operating System
Linux
Describe the bug
This code fixed the issue for us; the api call succeeds. I genereated the following code using an LLM after feeding it the current algorithm's digest:
const crypto = require('crypto');
// Credentials (prefer environment variables)
const username = bru.getEnvVar('WSSE_USERNAME');
const password = bru.getEnvVar('WSSE_PASSWORD');
if (!username || !password) {
throw new Error('WSSE credentials are not set in the environment');
}
const created = new Date().toISOString();
const nonceBytes = crypto.randomBytes(16);
// WSSE PasswordDigest = Base64(SHA1(nonce + created + password))
const passwordDigest = crypto
.createHash('sha1')
.update(Buffer.concat([
nonceBytes,
Buffer.from(created, 'utf8'),
Buffer.from(password, 'utf8'),
]))
.digest('base64');
// Nonce must be Base64-encoded in the header
const nonce = nonceBytes.toString('base64');
const wsseHeader =
`UsernameToken Username="${username}", ` +
`PasswordDigest="${passwordDigest}", ` +
`Nonce="${nonce}", ` +
`Created="${created}"`;
// Set the header
req.setHeader('X-WSSE', wsseHeader);
Here are the highlighted bugs, also LLM generated:
❌ 1. Nonce is hex-encoded too early
const nonce = crypto.randomBytes(16).toString('hex');
WSSE requires the digest to be computed over raw bytes, not the hex string representation.
- randomBytes(16) → ✅ correct
- .toString('hex') → ❌ wrong for digest input
❌ 2. Hashing a concatenated string instead of bytes
hash.update(nonce + ts + password);
This hashes a UTF-8 string, not:
Nonce (bytes) + Created (bytes) + Password (bytes)
❌ 3. Double-encoding the digest (hex → utf8 → base64)
const digest = Buffer
.from(hash.digest('hex').toString('utf8'))
.toString('base64');
This is the biggest issue.
You are:
- Producing a hex string (40 chars)
- Treating that string as UTF-8 text
- Base64-encoding the text
WSSE requires:
Base64( raw SHA-1 bytes )
.bru file to reproduce the bug
No response
Screenshots/Live demo link
.