From 389baeef46d1bf7f8af1bbaf4fabf0d19918409e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kat=20March=C3=A1n?= <kzm@sykosomatic.org>
Date: Thu, 27 Apr 2017 02:00:35 -0700
Subject: [PATCH] feat(integrity): add integrity field to publish

---
 lib/publish.js  | 10 ++++++++--
 package.json    |  3 ++-
 test/publish.js | 19 +++++++++++++++++--
 3 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/lib/publish.js b/lib/publish.js
index 9bf1c30..ecf593a 100644
--- a/lib/publish.js
+++ b/lib/publish.js
@@ -2,11 +2,11 @@ module.exports = publish
 
 var url = require('url')
 var semver = require('semver')
-var crypto = require('crypto')
 var Stream = require('stream').Stream
 var assert = require('assert')
 var fixer = require('normalize-package-data').fixer
 var concat = require('concat-stream')
+var ssri = require('ssri')
 
 function escaped (name) {
   return name.replace('/', '%2f')
@@ -84,10 +84,16 @@ function putFirst (registry, data, tarbuffer, access, auth, cb) {
 
   var tbName = data.name + '-' + data.version + '.tgz'
   var tbURI = data.name + '/-/' + tbName
+  var integrity = ssri.fromData(tarbuffer, {
+    algorithms: ['sha1', 'sha512']
+  })
 
   data._id = data.name + '@' + data.version
   data.dist = data.dist || {}
-  data.dist.shasum = crypto.createHash('sha1').update(tarbuffer).digest('hex')
+  // Don't bother having sha1 in the actual integrity field
+  data.dist.integrity = integrity['sha512'][0].toString()
+  // Legacy shasum support
+  data.dist.shasum = integrity['sha1'][0].hexDigest()
   data.dist.tarball = url.resolve(registry, tbURI)
                          .replace(/^https:\/\//, 'http://')
 
diff --git a/package.json b/package.json
index bac41e8..c5cfa56 100644
--- a/package.json
+++ b/package.json
@@ -23,7 +23,8 @@
     "request": "^2.74.0",
     "retry": "^0.10.0",
     "semver": "2 >=2.2.1 || 3.x || 4 || 5",
-    "slide": "^1.1.3"
+    "slide": "^1.1.3",
+    "ssri": "^4.1.2"
   },
   "devDependencies": {
     "negotiator": "^0.6.1",
diff --git a/test/publish.js b/test/publish.js
index 07c8bb4..cb2a7a1 100644
--- a/test/publish.js
+++ b/test/publish.js
@@ -1,6 +1,9 @@
-var test = require('tap').test
+'use strict'
+
 var crypto = require('crypto')
+var test = require('tap').test
 var fs = require('fs')
+var ssri = require('ssri')
 
 var server = require('./lib/server.js')
 var common = require('./lib/common.js')
@@ -187,7 +190,19 @@ test('publish', function (t) {
       t.same(att.data, pd.toString('base64'))
 
       var hash = crypto.createHash('sha1').update(pd).digest('hex')
-      t.equal(o.versions[METADATA.version].dist.shasum, hash)
+      var integrity = ssri.fromData(pd, {
+        algorithms: ['sha512']
+      })
+      t.equal(
+        o.versions[METADATA.version].dist.shasum,
+        hash,
+        'shasum is the same as generated originally by crypto module'
+      )
+      t.equal(
+        o.versions[METADATA.version].dist.integrity,
+        integrity.toString(),
+        'integrity field is a valid SRI string'
+      )
 
       res.statusCode = 201
       res.json({ created: true })