Countly
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 0 deletions b/‎.gitignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 3 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎lib/countly-bulk.js‎
Lines changed: 5 additions & 7 deletions b/‎lib/countly-bulk.js‎
Lines changed: 5 additions & 7 deletions
diff --git a/‎lib/countly-common.js‎
Lines changed: 60 additions & 0 deletions b/‎lib/countly-common.js‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎lib/countly.js‎
Lines changed: 32 additions & 11 deletions b/‎lib/countly.js‎
Lines changed: 32 additions & 11 deletions
@@ -2,3 +2,6 @@
 **/node_modules
 bulk_data/**
 **/data
+.nyc_output
+coverage
+coverage-report.txt
@@ -1,3 +1,6 @@
+## 24.10.4
+- Added a new init time flag `salt` for request tampering protection (should be used in tandem with server options)
+
 ## 24.10.3
 - Added support for uploading user images by providing path to the local image using `picturePath` parameter in `user_details` method (non-bulk)
 - Reduced SDK log verbosity
 
@@ -40,6 +40,7 @@ CountlyBulk.StorageTypes = cc.storageTypeEnums;
  * @param {number} [conf.session_update=60] - how often in seconds should session be extended
  * @param {number} [conf.max_events=100] - maximum amount of events to send in one batch
  * @param {boolean} [conf.force_post=false] - force using post method for all requests
+ * @param {string} [conf.salt] - shared secret used to append checksum256 to outgoing requests
  * @param {string} [conf.storage_path] - where SDK would store data, including id, queues, etc
  * @param {string} [conf.http_options=] - function to get http options by reference and overwrite them, before running each request
  * @param {number} [conf.max_key_length=128] - maximum size of all string keys
@@ -59,7 +60,7 @@ CountlyBulk.StorageTypes = cc.storageTypeEnums;
  * });
  */
 function CountlyBulk(conf) {
-    var SDK_VERSION = "24.10.3";
+    var SDK_VERSION = "24.10.4";
     var SDK_NAME = "javascript_native_nodejs_bulk";
 
     var empty_queue_callback = null;
@@ -96,6 +97,7 @@ function CountlyBulk(conf) {
     conf.session_update = conf.session_update || 60;
     conf.max_events = conf.max_events || 100;
     conf.force_post = conf.force_post || false;
+    conf.salt = conf.salt || null;
     conf.persist_queue = conf.persist_queue || false;
     conf.http_options = conf.http_options || null;
     conf.maxKeyLength = conf.max_key_length || maxKeyLength;
@@ -467,16 +469,12 @@ function CountlyBulk(conf) {
     }
 
     /**
-     *  Convert JSON object to query params
+     *  Convert JSON object to query params and append checksum when configured
      *  @param {Object} params - object with url params
      *  @returns {String} query string
      */
     function prepareParams(params) {
-        var str = [];
-        for (var i in params) {
-            str.push(`${i}=${encodeURIComponent(params[i])}`);
-        }
-        return str.join("&");
+        return cc.addChecksum(cc.serializeParams(params), conf.salt, false, false);
     }
 
     /**
 
@@ -1,6 +1,8 @@
 /**
 * main common functionalities will go in here
 */
+var crypto = require("crypto");
+
 var cc = {
 
     // debug value from Countly
@@ -135,6 +137,64 @@ var cc = {
         }
         return ob;
     },
+    /**
+     * Convert params object to URL encoded query parameter string
+     * @param {Object} params - object with query parameters
+     * @returns {String} URL encoded query string
+     */
+    serializeParams: function serializeParams(params) {
+        var str = [];
+        var keys = Object.keys(params || {});
+        for (var i = 0; i < keys.length; i++) {
+            var key = keys[i];
+            str.push(`${key}=${encodeURIComponent(params[key])}`);
+        }
+        return str.join("&");
+    },
+    /**
+     * Calculate the SHA-256 checksum for provided request data and salt
+     * @param {String} data - serialized request data
+     * @param {String} salt - developer provided shared secret
+     * @param {Boolean} decodeBeforeHash - if true decodes serialized data before hashing
+     * @param {Boolean} uppercase - if true returns uppercase hex
+     * @returns {String} checksum in hex format
+     */
+    calculateChecksum: function calculateChecksum(data, salt, decodeBeforeHash, uppercase) {
+        var checksumData = data || "";
+        if (decodeBeforeHash) {
+            try {
+                checksumData = decodeURIComponent(checksumData);
+            }
+            catch (e) {
+                this.log(this.logLevelEnums.WARNING, `calculateChecksum, Failed to decode request data before hashing: [${e}]`);
+            }
+        }
+        var hash = crypto.createHash("sha256");
+        hash.update(`${checksumData}${salt}`);
+        var checksum = hash.digest("hex");
+        if (uppercase) {
+            return checksum.toUpperCase();
+        }
+        return checksum;
+    },
+    /**
+     * Append checksum256 to serialized request data when salt is configured
+     * @param {String} data - serialized request data
+     * @param {String} salt - developer provided shared secret
+     * @param {Boolean} decodeBeforeHash - if true decodes serialized data before hashing
+     * @param {Boolean} uppercase - if true appends uppercase hex
+     * @returns {String} serialized request data with checksum when configured
+     */
+    addChecksum: function addChecksum(data, salt, decodeBeforeHash, uppercase) {
+        if (!salt) {
+            return data;
+        }
+        var checksum = this.calculateChecksum(data, salt, decodeBeforeHash, uppercase);
+        if (!data) {
+            return `checksum256=${checksum}`;
+        }
+        return `${data}&checksum256=${checksum}`;
+    },
     /**
      *  Removing trailing slashes
      *  @memberof Countly._internals
 
@@ -35,7 +35,7 @@ Countly.StorageTypes = cc.storageTypeEnums;
 Countly.DeviceIdType = cc.deviceIdTypeEnums;
 Countly.Bulk = Bulk;
 (function() {
-    var SDK_VERSION = "24.10.3";
+    var SDK_VERSION = "24.10.4";
     var SDK_NAME = "javascript_native_nodejs";
 
     var inited = false;
@@ -103,6 +103,7 @@ Countly.Bulk = Bulk;
  * @param {number} [conf.session_update=60] - how often in seconds should session be extended
  * @param {number} [conf.max_events=100] - maximum amount of events to send in one batch
  * @param {boolean} [conf.force_post=false] - force using post method for all requests
+ * @param {string} [conf.salt] - shared secret used to append checksum256 to outgoing requests
  * @param {boolean} [conf.clear_stored_device_id=false] - set it to true if you want to erase the stored device ID
  * @param {boolean} [conf.test_mode=false] - set it to true if you want to initiate test_mode
  * @param {string} [conf.storage_path] - where SDK would store data, including id, queues, etc
@@ -162,6 +163,7 @@ Countly.Bulk = Bulk;
             Countly.city = conf.city || Countly.city || null;
             Countly.ip_address = conf.ip_address || Countly.ip_address || null;
             Countly.force_post = conf.force_post || Countly.force_post || false;
+            Countly.salt = conf.salt || Countly.salt || null;
             Countly.require_consent = conf.require_consent || Countly.require_consent || false;
             Countly.remote_config = conf.remote_config || Countly.remote_config || false;
             Countly.http_options = conf.http_options || Countly.http_options || null;
@@ -215,6 +217,7 @@ Countly.Bulk = Bulk;
                     cc.log(cc.logLevelEnums.DEBUG, `init, IP address: [${Countly.ip_address}].`);
                 }
                 cc.log(cc.logLevelEnums.DEBUG, `init, Force POST requests: [${Countly.force_post}].`);
+                cc.log(cc.logLevelEnums.DEBUG, `init, Salt is configured: [${!!Countly.salt}].`);
                 cc.log(cc.logLevelEnums.DEBUG, `init, Storage path: [${CountlyStorage.getStoragePath()}].`);
                 cc.log(cc.logLevelEnums.DEBUG, `init, Require consent: [${Countly.require_consent}].`);
                 if (Countly.remote_config) {
@@ -353,6 +356,7 @@ Countly.Bulk = Bulk;
         Countly.city = undefined;
         Countly.ip_address = undefined;
         Countly.force_post = undefined;
+        Countly.salt = undefined;
         Countly.require_consent = undefined;
         Countly.http_options = undefined;
         CountlyStorage.resetStorage();
@@ -1670,17 +1674,36 @@ Countly.Bulk = Bulk;
 
                     var boundary = `FormBoundary${Math.random().toString(16).slice(2)}`;
                     var bodyParts = [];
+                    var uploadParams = {};
 
                     for (var p in params) {
-                        if (typeof params[p] !== "undefined" && p !== 'picturePath') {
-                            var value = params[p];
+                        if (Object.prototype.hasOwnProperty.call(params, p) && typeof params[p] !== "undefined" && p !== "picturePath") {
+                            uploadParams[p] = params[p];
+                        }
+                    }
+
+                    var uploadChecksum = null;
+                    if (Countly.salt) {
+                        uploadChecksum = cc.calculateChecksum(cc.serializeParams(uploadParams), Countly.salt, true);
+                    }
+
+                    for (var param in uploadParams) {
+                        if (Object.prototype.hasOwnProperty.call(uploadParams, param)) {
+                            var value = uploadParams[param];
                             bodyParts.push(Buffer.from(`--${boundary}\r\n`));
-                            bodyParts.push(Buffer.from(`Content-Disposition: form-data; name="${p}"\r\n\r\n`));
+                            bodyParts.push(Buffer.from(`Content-Disposition: form-data; name="${param}"\r\n\r\n`));
                             bodyParts.push(Buffer.from(String(value)));
                             bodyParts.push(Buffer.from('\r\n'));
                         }
                     }
 
+                    if (uploadChecksum) {
+                        bodyParts.push(Buffer.from(`--${boundary}\r\n`));
+                        bodyParts.push(Buffer.from('Content-Disposition: form-data; name="checksum256"\r\n\r\n'));
+                        bodyParts.push(Buffer.from(uploadChecksum));
+                        bodyParts.push(Buffer.from('\r\n'));
+                    }
+
                     bodyParts.push(Buffer.from(`--${boundary}\r\n`));
                     bodyParts.push(Buffer.from(`Content-Disposition: form-data; name="user_picture"; filename="${fileName}"\r\n`));
                     bodyParts.push(Buffer.from(`Content-Type: ${contentType}\r\n\r\n`));
@@ -1779,16 +1802,14 @@ Countly.Bulk = Bulk;
     }
 
     /**
-     *  Convert JSON object to query params
+     *  Convert JSON object to query params and append checksum when configured
      *  @param {Object} params - object with url params
+     *  @param {Boolean} decodeBeforeHash - if true request data is URL-decoded before hashing
      *  @returns {String} query string
      */
-    function prepareParams(params) {
-        var str = [];
-        for (var i in params) {
-            str.push(`${i}=${encodeURIComponent(params[i])}`);
-        }
-        return str.join("&");
+    function prepareParams(params, decodeBeforeHash) {
+        var data = cc.serializeParams(params);
+        return cc.addChecksum(data, Countly.salt, decodeBeforeHash, false);
     }
 
     /**