Skip to content

feat(car): pin relation hsm calls #3562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 19 commits into
base: main
Choose a base branch
from
Open

feat(car): pin relation hsm calls #3562

wants to merge 19 commits into from

Conversation

koekiebox
Copy link
Collaborator

Changes proposed in this pull request

Context

Checklist

  • Related issues linked using fixes #number
  • Tests added/updated
  • Make sure that all checks pass
  • Bruno collection updated (if necessary)
  • Documentation issue created with user-docs label (if necessary)
  • OpenAPI specs updated (if necessary)

koekiebox and others added 19 commits May 4, 2025 11:20
@koekiebox
feat(car-6): hsm emulator to demonstrate key generation and transport.
4a7c6b7
@koekiebox
feat(car-6): readme updates.
9dae0fc
@koekiebox
feat(car-6): card keys.
498f7ca
@koekiebox
feat(car-6): fix diagram.
8530667
@koekiebox
feat(car-6): fix typos.
990c7fb
@koekiebox
feat(car-6): fix typos.
345309f
@koekiebox
feat(car-6): use ec and update README.md
5d88277
Merge branch 'main' into jason/car-6
f50c1a7
@koekiebox
feat(car-6): import key completed.
9d27ca9
@koekiebox
feat(car-6): ipek key done.
72473a3
@koekiebox
feat(car-6): fix spelling.
a0b7d86
@koekiebox
Merge branch 'main' into jason/car-6
49cfbbb
@koekiebox
Merge branch 'main' into jason/car-6
89f1ce0 
# Conflicts:
#	pnpm-lock.yaml
@koekiebox
feat(car-6): update doc and endpoints based on ASE model.
1912151
@koekiebox
feat(car-6): fix error desc.
7020783
@koekiebox
Merge branch 'main' into jason/car-6
c3d69f3 
# Conflicts:
#	pnpm-lock.yaml
@koekiebox
feat(car-6): fix conflicts.
a0deed3
@koekiebox
Merge branch 'main' into jason/car-6
87313c3 
# Conflicts:
#	bruno/collections/Rafiki/environments/Local Playground.bru
@koekiebox
feat(car-9): support for PIN.
95ce447
@koekiebox koekiebox self-assigned this Jul 14, 2025
@netlify Netlify
Copy link

netlify bot commented Jul 14, 2025
edited
Loading

Deploy Preview for brilliant-pasca-3e80ec canceled.

Name Link
🔨 Latest commit 95ce447
🔍 Latest deploy log https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/6874cf8f6e9b250008e8fe95

@github-actions github-actions bot added the type: tests Testing related label Jul 14, 2025
@koekiebox koekiebox changed the title Jason/car 9 feat(car): pin relation hsm calls Jul 14, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Jul 14, 2025
View reviewed changes
test/hsm-emulator/src/app.ts
Comment on lines +331 to +366
app.post('/hsm/verify-pin', async function handler(ffReq, ffReply) {
const requestBody = JSON.parse(JSON.stringify(ffReq.body))
const { pinBlock, pan, format, expectedPin, pinEncryptionKey } = requestBody

try {
// Validate input
if (!pinBlock || !pan || !format || !expectedPin) {
throw new Error('Missing required parameters')
}

if (format !== 'ISO-0' && format !== 'ISO-1') {
throw new Error('Format must be ISO-0 or ISO-1')
}

// Verify the PIN
const isValid = verifyPin(
pinBlock,
pan,
format,
expectedPin,
pinEncryptionKey
)

logger.info(`PIN verification result: ${isValid ? 'Valid' : 'Invalid'}`)

ffReply.code(200).send({
isValid,
format
})
} catch (error) {
logger.error(`PIN verification error: ${error.message}`)
ffReply.code(400).send({
error: error.message
})
}
})

Check failure

Code scanning / CodeQL

Missing rate limiting High test

This route handler performs
authorization
Loading
, but is not rate-limited.

Copilot Autofix

AI 7 days ago

To fix the problem, we will introduce rate-limiting middleware using a well-known library such as fastify-rate-limit. This middleware will limit the number of requests that can be sent to the /hsm/verify-pin endpoint within a specified time window. The rate limiting will be applied directly to this endpoint to ensure it is protected without affecting the rest of the application.

Steps:

  1. Install the fastify-rate-limit package.
  2. Import the middleware into the file.
  3. Register the rate-limiting plugin in the Fastify instance.
  4. Configure rate limiting specifically for the /hsm/verify-pin route.
Suggested changeset 2
test/hsm-emulator/src/app.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/test/hsm-emulator/src/app.ts b/test/hsm-emulator/src/app.ts
--- a/test/hsm-emulator/src/app.ts
+++ b/test/hsm-emulator/src/app.ts
@@ -25,6 +25,10 @@
 
 export function createApp(port: number) {
   const app = fastify()
+  app.register(require('fastify-rate-limit'), {
+    max: 100, // maximum number of requests
+    timeWindow: '1 minute' // time window for rate limiting
+  })
 
   app.post(
     '/hsm/ase-customer/generate-zmk',
@@ -328,7 +332,9 @@
   })
 
   // Add PIN verification endpoint
-  app.post('/hsm/verify-pin', async function handler(ffReq, ffReply) {
+  app.post('/hsm/verify-pin', {
+    config: { rateLimit: { max: 10, timeWindow: '1 minute' } } // limit to 10 requests per minute
+  }, async function handler(ffReq, ffReply) {
     const requestBody = JSON.parse(JSON.stringify(ffReq.body))
     const { pinBlock, pan, format, expectedPin, pinEncryptionKey } = requestBody
 
EOF
@@ -25,6 +25,10 @@

export function createApp(port: number) {
const app = fastify()
app.register(require('fastify-rate-limit'), {
max: 100, // maximum number of requests
timeWindow: '1 minute' // time window for rate limiting
})

app.post(
'/hsm/ase-customer/generate-zmk',
@@ -328,7 +332,9 @@
})

// Add PIN verification endpoint
app.post('/hsm/verify-pin', async function handler(ffReq, ffReply) {
app.post('/hsm/verify-pin', {
config: { rateLimit: { max: 10, timeWindow: '1 minute' } } // limit to 10 requests per minute
}, async function handler(ffReq, ffReply) {
const requestBody = JSON.parse(JSON.stringify(ffReq.body))
const { pinBlock, pan, format, expectedPin, pinEncryptionKey } = requestBody

test/hsm-emulator/package.json
Outside changed files

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/test/hsm-emulator/package.json b/test/hsm-emulator/package.json
--- a/test/hsm-emulator/package.json
+++ b/test/hsm-emulator/package.json
@@ -14,7 +14,8 @@
   "license": "ISC",
   "dependencies": {
     "fastify": "^5.2.1",
-    "pino": "^9.6.0"
+    "pino": "^9.6.0",
+    "fastify-rate-limit": "^5.9.0"
   },
   "devDependencies": {
     "@types/node": "^20.0.0",
EOF
@@ -14,7 +14,8 @@
"license": "ISC",
"dependencies": {
"fastify": "^5.2.1",
"pino": "^9.6.0"
"pino": "^9.6.0",
"fastify-rate-limit": "^5.9.0"
},
"devDependencies": {
"@types/node": "^20.0.0",
This fix introduces these dependencies
Package Version Security advisories
fastify-rate-limit (npm) 5.9.0 None
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@koekiebox koekiebox

Labels
type: tests Testing related
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@koekiebox