From f73c4a508556ee803a52c1b4c756876cfc3f6a99 Mon Sep 17 00:00:00 2001 From: uzlopak Date: Tue, 28 Nov 2023 23:44:50 +0100 Subject: [PATCH 1/4] fix: remove sha1 algorithm --- src/node/sign.ts | 21 ++----------- src/node/verify.ts | 23 +++++++------- src/types.ts | 8 ----- src/utils.ts | 13 ++++++-- src/web.ts | 33 +++++--------------- test/sign.test.ts | 40 ++++++------------------ test/verify.test.ts | 74 ++++++++++++++------------------------------- 7 files changed, 64 insertions(+), 148 deletions(-) diff --git a/src/node/sign.ts b/src/node/sign.ts index 03b46c14..c1460d4a 100644 --- a/src/node/sign.ts +++ b/src/node/sign.ts @@ -1,34 +1,17 @@ import { createHmac } from "crypto"; -import { Algorithm, type SignOptions } from "../types"; import { VERSION } from "../version"; export async function sign( - options: SignOptions | string, + secret: string | Buffer, payload: string, ): Promise { - const { secret, algorithm } = - typeof options === "object" - ? { - secret: options.secret, - algorithm: options.algorithm || Algorithm.SHA256, - } - : { secret: options, algorithm: Algorithm.SHA256 }; - if (!secret || !payload) { throw new TypeError( "[@octokit/webhooks-methods] secret & payload required for sign()", ); } - if (!Object.values(Algorithm).includes(algorithm as Algorithm)) { - throw new TypeError( - `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha1' or 'sha256'`, - ); - } - - return `${algorithm}=${createHmac(algorithm, secret) - .update(payload) - .digest("hex")}`; + return `sha256=${createHmac("sha256", secret).update(payload).digest("hex")}`; } sign.VERSION = VERSION; diff --git a/src/node/verify.ts b/src/node/verify.ts index 96e48b94..26773b61 100644 --- a/src/node/verify.ts +++ b/src/node/verify.ts @@ -1,12 +1,11 @@ -import { timingSafeEqual } from "crypto"; +import { createHmac, timingSafeEqual } from "crypto"; import { Buffer } from "buffer"; -import { sign } from "./sign"; import { VERSION } from "../version"; -import { getAlgorithm } from "../utils"; +import { isValidSignaturePrefix } from "../utils"; export async function verify( - secret: string, + secret: string | Buffer, eventPayload: string, signature: string, ): Promise { @@ -16,17 +15,19 @@ export async function verify( ); } - const signatureBuffer = Buffer.from(signature); - const algorithm = getAlgorithm(signature); - - const verificationBuffer = Buffer.from( - await sign({ secret, algorithm }, eventPayload), - ); + if (isValidSignaturePrefix(signature) === false) { + return false; + } + const signatureBuffer = Buffer.from(signature.slice(7), "hex"); - if (signatureBuffer.length !== verificationBuffer.length) { + if (signatureBuffer.length !== 32) { return false; } + const verificationBuffer = Buffer.from( + createHmac("sha256", secret).update(eventPayload).digest(), + ); + // constant time comparison to prevent timing attacks // https://stackoverflow.com/a/31096242/206879 // https://en.wikipedia.org/wiki/Timing_attack diff --git a/src/types.ts b/src/types.ts index ce72b465..e45c341f 100644 --- a/src/types.ts +++ b/src/types.ts @@ -1,11 +1,3 @@ -export enum Algorithm { - SHA1 = "sha1", - SHA256 = "sha256", -} - -export type AlgorithmLike = Algorithm | "sha1" | "sha256"; - export type SignOptions = { secret: string; - algorithm?: AlgorithmLike; }; diff --git a/src/utils.ts b/src/utils.ts index d1e6444d..b5e58b08 100644 --- a/src/utils.ts +++ b/src/utils.ts @@ -1,3 +1,12 @@ -export const getAlgorithm = (signature: string) => { - return signature.startsWith("sha256=") ? "sha256" : "sha1"; +export const isValidSignaturePrefix = (signature: string) => { + return ( + signature.length === 71 && + signature[0] === "s" && + signature[1] === "h" && + signature[2] === "a" && + signature[3] === "2" && + signature[4] === "5" && + signature[5] === "6" && + signature[6] === "=" + ); }; diff --git a/src/web.ts b/src/web.ts index ce15060b..5f4acd45 100644 --- a/src/web.ts +++ b/src/web.ts @@ -1,5 +1,4 @@ -import { Algorithm, type AlgorithmLike, type SignOptions } from "./types"; -import { getAlgorithm } from "./utils"; +import { type SignOptions } from "./types"; const enc = new TextEncoder(); @@ -21,16 +20,7 @@ function UInt8ArrayToHex(signature: ArrayBuffer) { .join(""); } -function getHMACHashName(algorithm: AlgorithmLike) { - return ( - { - [Algorithm.SHA1]: "SHA-1", - [Algorithm.SHA256]: "SHA-256", - } as { [key in Algorithm]: string } - )[algorithm]; -} - -async function importKey(secret: string, algorithm: AlgorithmLike) { +async function importKey(secret: string) { // ref: https://developer.mozilla.org/en-US/docs/Web/API/HmacImportParams return crypto.subtle.importKey( "raw", // raw format of the key - should be Uint8Array @@ -38,7 +28,7 @@ async function importKey(secret: string, algorithm: AlgorithmLike) { { // algorithm details name: "HMAC", - hash: { name: getHMACHashName(algorithm) }, + hash: { name: "SHA-256" }, }, false, // export = false ["sign", "verify"], // what this key can do @@ -50,9 +40,9 @@ export async function sign(options: SignOptions | string, payload: string) { typeof options === "object" ? { secret: options.secret, - algorithm: options.algorithm || Algorithm.SHA256, + algorithm: "sha256", } - : { secret: options, algorithm: Algorithm.SHA256 }; + : { secret: options, algorithm: "sha256" }; if (!secret || !payload) { throw new TypeError( @@ -60,15 +50,9 @@ export async function sign(options: SignOptions | string, payload: string) { ); } - if (!Object.values(Algorithm).includes(algorithm as Algorithm)) { - throw new TypeError( - `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha1' or 'sha256'`, - ); - } - const signature = await crypto.subtle.sign( "HMAC", - await importKey(secret, algorithm), + await importKey(secret), enc.encode(payload), ); @@ -86,11 +70,10 @@ export async function verify( ); } - const algorithm = getAlgorithm(signature); return await crypto.subtle.verify( "HMAC", - await importKey(secret, algorithm), - hexToUInt8Array(signature.replace(`${algorithm}=`, "")), + await importKey(secret), + hexToUInt8Array(signature.replace(`sha256=`, "")), enc.encode(eventPayload), ); } diff --git a/test/sign.test.ts b/test/sign.test.ts index 6c49ae37..dd3ef944 100644 --- a/test/sign.test.ts +++ b/test/sign.test.ts @@ -35,46 +35,24 @@ describe("sign", () => { ); }); - test("sign({secret, algorithm}) throws with invalid algorithm", async () => { - await expect(() => - // @ts-expect-error - sign({ secret, algorithm: "sha2" }, eventPayload), - ).rejects.toThrow( - "[@octokit/webhooks] Algorithm sha2 is not supported. Must be 'sha1' or 'sha256'", - ); - }); - - describe("with eventPayload as string", () => { - describe("returns expected sha1 signature", () => { + describe("with secret as Buffer", () => { + describe("returns expected sha256 signature", () => { test("sign(secret, eventPayload)", async () => { - const signature = await sign(secret, JSON.stringify(eventPayload)); - expect(signature).toBe( - "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3", + const signature = await sign( + Buffer.from(secret), + JSON.stringify(eventPayload), ); - }); - - test("sign({secret}, eventPayload)", async () => { - const signature = await sign({ secret }, JSON.stringify(eventPayload)); expect(signature).toBe( "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3", ); }); - - test("sign({secret, algorithm: 'sha1'}, eventPayload)", async () => { - const signature = await sign( - { secret, algorithm: "sha1" }, - JSON.stringify(eventPayload), - ); - expect(signature).toBe("sha1=d03207e4b030cf234e3447bac4d93add4c6643d8"); - }); }); + }); + describe("with eventPayload as string", () => { describe("returns expected sha256 signature", () => { - test("sign({secret, algorithm: 'sha256'}, eventPayload)", async () => { - const signature = await sign( - { secret, algorithm: "sha256" }, - JSON.stringify(eventPayload), - ); + test("sign(secret, eventPayload)", async () => { + const signature = await sign(secret, JSON.stringify(eventPayload)); expect(signature).toBe( "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3", ); diff --git a/test/verify.test.ts b/test/verify.test.ts index 35de15bf..29c18ea0 100644 --- a/test/verify.test.ts +++ b/test/verify.test.ts @@ -10,8 +10,7 @@ function toNormalizedJsonString(payload: object) { const eventPayload = toNormalizedJsonString({ foo: "bar" }); const secret = "mysecret"; -const signatureSHA1 = "sha1=640c0ea7402a3f74e1767338fa2dba243b1f2d9c"; -const signatureSHA256 = +const signature = "sha256=e3eccac34c43c7dc1cbb905488b1b81347fcc700a7b025697a9d07862256023f"; describe("verify", () => { @@ -51,69 +50,40 @@ describe("verify", () => { ); }); - test("verify(secret, eventPayload, signatureSHA1) returns true for correct signature", async () => { - const signatureMatches = await verify(secret, eventPayload, signatureSHA1); + test("verify(secret, eventPayload, signature) returns true for correct signature", async () => { + const signatureMatches = await verify(secret, eventPayload, signature); expect(signatureMatches).toBe(true); }); - test("verify(secret, eventPayload, signatureSHA1) returns false for incorrect signature", async () => { - const signatureMatches = await verify(secret, eventPayload, "foo"); - expect(signatureMatches).toBe(false); - }); - - test("verify(secret, eventPayload, signatureSHA1) returns false for correct secret", async () => { - const signatureMatches = await verify("foo", eventPayload, signatureSHA1); - expect(signatureMatches).toBe(false); - }); - - test("verify(secret, eventPayload, signatureSHA1) returns true if eventPayload contains special characters (#71)", async () => { - // https://github.com/octokit/webhooks.js/issues/71 - const signatureMatchesLowerCaseSequence = await verify( - "development", - toNormalizedJsonString({ - foo: "Foo\n\u001b[34mbar: ♥♥♥♥♥♥♥♥\nthis-is-lost\u001b[0m\u001b[2K", - }), - "sha1=82a91c5aacc9cdc2eea893bc828bd03d218df79c", - ); - expect(signatureMatchesLowerCaseSequence).toBe(true); - const signatureMatchesUpperCaseSequence = await verify( - "development", - toNormalizedJsonString({ - foo: "Foo\n\u001B[34mbar: ♥♥♥♥♥♥♥♥\nthis-is-lost\u001B[0m\u001B[2K", - }), - "sha1=82a91c5aacc9cdc2eea893bc828bd03d218df79c", - ); - expect(signatureMatchesUpperCaseSequence).toBe(true); - const signatureMatchesEscapedSequence = await verify( - "development", - toNormalizedJsonString({ - foo: "\\u001b", - }), - "sha1=bdae4705bdd827d026bb227817ca025b5b3a6756", + test("verify(secret, eventPayload, signature) returns true for secret provided as Buffer", async () => { + const signatureMatches = await verify( + Buffer.from(secret), + eventPayload, + signature, ); - expect(signatureMatchesEscapedSequence).toBe(true); + expect(signatureMatches).toBe(true); }); - test("verify(secret, eventPayload, signatureSHA256) returns true for correct signature", async () => { + test("verify(secret, eventPayload, signature) returns false for incorrect signature", async () => { const signatureMatches = await verify( secret, eventPayload, - signatureSHA256, + "sha256=xxxccac34c43c7dc1cbb905488b1b81347fcc700a7b025697a9d07862256023f", ); - expect(signatureMatches).toBe(true); + expect(signatureMatches).toBe(false); }); - test("verify(secret, eventPayload, signatureSHA256) returns false for incorrect signature", async () => { + test("verify(secret, eventPayload, signature) returns false for incorrect signature", async () => { const signatureMatches = await verify(secret, eventPayload, "foo"); expect(signatureMatches).toBe(false); }); - test("verify(secret, eventPayload, signatureSHA256) returns false for incorrect secret", async () => { - const signatureMatches = await verify("foo", eventPayload, signatureSHA256); + test("verify(secret, eventPayload, signature) returns false for incorrect secret", async () => { + const signatureMatches = await verify("foo", eventPayload, signature); expect(signatureMatches).toBe(false); }); - test("verify(secret, eventPayload, signatureSHA256) returns true if eventPayload contains special characters (#71)", async () => { + test("verify(secret, eventPayload, signature) returns true if eventPayload contains special characters (#71)", async () => { // https://github.com/octokit/webhooks.js/issues/71 const signatureMatchesLowerCaseSequence = await verify( "development", @@ -147,31 +117,31 @@ describe("verifyWithFallback", () => { expect(verifyWithFallback).toBeInstanceOf(Function); }); - test("verifyWithFallback(secret, eventPayload, signatureSHA256, [bogus]) returns true", async () => { + test("verifyWithFallback(secret, eventPayload, signature, [bogus]) returns true", async () => { const signatureMatches = await verifyWithFallback( secret, eventPayload, - signatureSHA256, + signature, ["foo"], ); expect(signatureMatches).toBe(true); }); - test("verifyWithFallback(bogus, eventPayload, signatureSHA256, [secret]) returns true", async () => { + test("verifyWithFallback(bogus, eventPayload, signature, [secret]) returns true", async () => { const signatureMatches = await verifyWithFallback( "foo", eventPayload, - signatureSHA256, + signature, [secret], ); expect(signatureMatches).toBe(true); }); - test("verify(bogus, eventPayload, signatureSHA256, [bogus]) returns false", async () => { + test("verify(bogus, eventPayload, signature, [bogus]) returns false", async () => { const signatureMatches = await verifyWithFallback( "foo", eventPayload, - signatureSHA256, + signature, ["foo"], ); expect(signatureMatches).toBe(false); From 3253937eac8615c002b1ae842913eb8c66e6f3c5 Mon Sep 17 00:00:00 2001 From: uzlopak Date: Wed, 29 Nov 2023 14:44:04 +0100 Subject: [PATCH 2/4] add sync Functions for node --- src/index.ts | 21 +++++++++++++++------ src/node/sign.ts | 5 +++++ src/node/verify.ts | 15 ++++++++++++--- src/web.ts | 14 ++------------ test/sign.test.ts | 19 ++++++++++++++++++- test/verify.test.ts | 17 ++++++++++++++++- 6 files changed, 68 insertions(+), 23 deletions(-) diff --git a/src/index.ts b/src/index.ts index 6c81361b..e7fa659e 100644 --- a/src/index.ts +++ b/src/index.ts @@ -1,14 +1,23 @@ -export { sign } from "./node/sign"; -import { verify } from "./node/verify"; -export { verify }; +export { sign, signSync } from "./node/sign"; +import { verifySync } from "./node/verify"; +export { verify, verifySync } from "./node/verify"; export async function verifyWithFallback( secret: string, payload: string, signature: string, additionalSecrets: undefined | string[], -): Promise { - const firstPass = await verify(secret, payload, signature); +): Promise { + return verifyWithFallbackSync(secret, payload, signature, additionalSecrets); +} + +export function verifyWithFallbackSync( + secret: string, + payload: string, + signature: string, + additionalSecrets: undefined | string[], +): boolean { + const firstPass = verifySync(secret, payload, signature); if (firstPass) { return true; @@ -16,7 +25,7 @@ export async function verifyWithFallback( if (additionalSecrets !== undefined) { for (const s of additionalSecrets) { - const v: boolean = await verify(s, payload, signature); + const v: boolean = verifySync(s, payload, signature); if (v) { return v; } diff --git a/src/node/sign.ts b/src/node/sign.ts index c1460d4a..648cfd8c 100644 --- a/src/node/sign.ts +++ b/src/node/sign.ts @@ -5,6 +5,10 @@ export async function sign( secret: string | Buffer, payload: string, ): Promise { + return signSync(secret, payload); +} + +export function signSync(secret: string | Buffer, payload: string): string { if (!secret || !payload) { throw new TypeError( "[@octokit/webhooks-methods] secret & payload required for sign()", @@ -15,3 +19,4 @@ export async function sign( } sign.VERSION = VERSION; +signSync.VERSION = VERSION; diff --git a/src/node/verify.ts b/src/node/verify.ts index 26773b61..64054d33 100644 --- a/src/node/verify.ts +++ b/src/node/verify.ts @@ -9,6 +9,14 @@ export async function verify( eventPayload: string, signature: string, ): Promise { + return verifySync(secret, eventPayload, signature); +} + +export function verifySync( + secret: string | Buffer, + eventPayload: string, + signature: string, +): boolean { if (!secret || !eventPayload || !signature) { throw new TypeError( "[@octokit/webhooks-methods] secret, eventPayload & signature required", @@ -24,9 +32,9 @@ export async function verify( return false; } - const verificationBuffer = Buffer.from( - createHmac("sha256", secret).update(eventPayload).digest(), - ); + const verificationBuffer = createHmac("sha256", secret) + .update(eventPayload) + .digest().buffer as Buffer; // constant time comparison to prevent timing attacks // https://stackoverflow.com/a/31096242/206879 @@ -35,3 +43,4 @@ export async function verify( } verify.VERSION = VERSION; +verifySync.VERSION = VERSION; diff --git a/src/web.ts b/src/web.ts index 5f4acd45..42923b5e 100644 --- a/src/web.ts +++ b/src/web.ts @@ -1,5 +1,3 @@ -import { type SignOptions } from "./types"; - const enc = new TextEncoder(); function hexToUInt8Array(string: string) { @@ -35,15 +33,7 @@ async function importKey(secret: string) { ); } -export async function sign(options: SignOptions | string, payload: string) { - const { secret, algorithm } = - typeof options === "object" - ? { - secret: options.secret, - algorithm: "sha256", - } - : { secret: options, algorithm: "sha256" }; - +export async function sign(secret: string, payload: string) { if (!secret || !payload) { throw new TypeError( "[@octokit/webhooks-methods] secret & payload required for sign()", @@ -56,7 +46,7 @@ export async function sign(options: SignOptions | string, payload: string) { enc.encode(payload), ); - return `${algorithm}=${UInt8ArrayToHex(signature)}`; + return `sha256=${UInt8ArrayToHex(signature)}`; } export async function verify( diff --git a/test/sign.test.ts b/test/sign.test.ts index dd3ef944..a40d12a7 100644 --- a/test/sign.test.ts +++ b/test/sign.test.ts @@ -1,4 +1,4 @@ -import { sign } from "../src"; +import { sign, signSync } from "../src"; const eventPayload = { foo: "bar", @@ -60,3 +60,20 @@ describe("sign", () => { }); }); }); + +describe("signSync", () => { + it("is a function", () => { + expect(signSync).toBeInstanceOf(Function); + }); + + it("signSync.VERSION is set", () => { + expect(signSync.VERSION).toEqual("0.0.0-development"); + }); + + test("signSync(secret, eventPayload)", () => { + const signature = signSync(secret, JSON.stringify(eventPayload)); + expect(signature).toBe( + "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3", + ); + }); +}); diff --git a/test/verify.test.ts b/test/verify.test.ts index 29c18ea0..bdde24b2 100644 --- a/test/verify.test.ts +++ b/test/verify.test.ts @@ -1,4 +1,4 @@ -import { verify, verifyWithFallback } from "../src"; +import { verify, verifySync, verifyWithFallback } from "../src"; function toNormalizedJsonString(payload: object) { // GitHub sends its JSON with an indentation of 2 spaces and a line break at the end @@ -147,3 +147,18 @@ describe("verifyWithFallback", () => { expect(signatureMatches).toBe(false); }); }); + +describe("verifySync", () => { + it("is a function", () => { + expect(verifySync).toBeInstanceOf(Function); + }); + + it("verifySync.VERSION is set", () => { + expect(verifySync.VERSION).toEqual("0.0.0-development"); + }); + + test("verifySync(secret, eventPayload, signature) returns true for correct signature", () => { + const signatureMatches = verifySync(secret, eventPayload, signature); + expect(signatureMatches).toBe(true); + }); +}); From 0043059eb75dd14af24315d35e49ae0b089bd660 Mon Sep 17 00:00:00 2001 From: uzlopak Date: Wed, 29 Nov 2023 20:34:58 +0100 Subject: [PATCH 3/4] add Buffer passthrough typings --- src/node/sign.ts | 7 +++++-- src/node/verify.ts | 4 ++-- test/sign.test.ts | 28 ++++++++++++++++++++++++++++ test/verify.test.ts | 18 ++++++++++++++++++ 4 files changed, 53 insertions(+), 4 deletions(-) diff --git a/src/node/sign.ts b/src/node/sign.ts index e27556e3..dd5fa11e 100644 --- a/src/node/sign.ts +++ b/src/node/sign.ts @@ -3,12 +3,15 @@ import { VERSION } from "../version.js"; export async function sign( secret: string | Buffer, - payload: string, + payload: string | Buffer, ): Promise { return signSync(secret, payload); } -export function signSync(secret: string | Buffer, payload: string): string { +export function signSync( + secret: string | Buffer, + payload: string | Buffer, +): string { if (!secret || !payload) { throw new TypeError( "[@octokit/webhooks-methods] secret & payload required for sign()", diff --git a/src/node/verify.ts b/src/node/verify.ts index ea64d2c2..37d8cf4f 100644 --- a/src/node/verify.ts +++ b/src/node/verify.ts @@ -6,7 +6,7 @@ import { isValidSignaturePrefix } from "../utils.js"; export async function verify( secret: string | Buffer, - eventPayload: string, + eventPayload: string | Buffer, signature: string, ): Promise { return verifySync(secret, eventPayload, signature); @@ -14,7 +14,7 @@ export async function verify( export function verifySync( secret: string | Buffer, - eventPayload: string, + eventPayload: string | Buffer, signature: string, ): boolean { if (!secret || !eventPayload || !signature) { diff --git a/test/sign.test.ts b/test/sign.test.ts index 1fa34d50..c0804b40 100644 --- a/test/sign.test.ts +++ b/test/sign.test.ts @@ -59,6 +59,34 @@ describe("sign", () => { }); }); }); + + describe("with eventPayload as Buffer", () => { + describe("returns expected sha256 signature", () => { + test("sign(secret, eventPayload)", async () => { + const signature = await sign( + secret, + Buffer.from(JSON.stringify(eventPayload)), + ); + expect(signature).toBe( + "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3", + ); + }); + }); + }); + + describe("with eventPayload and secret as Buffer", () => { + describe("returns expected sha256 signature", () => { + test("sign(secret, eventPayload)", async () => { + const signature = await sign( + Buffer.from(secret), + Buffer.from(JSON.stringify(eventPayload)), + ); + expect(signature).toBe( + "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3", + ); + }); + }); + }); }); describe("signSync", () => { diff --git a/test/verify.test.ts b/test/verify.test.ts index 0daaa340..df2bab42 100644 --- a/test/verify.test.ts +++ b/test/verify.test.ts @@ -64,6 +64,24 @@ describe("verify", () => { expect(signatureMatches).toBe(true); }); + test("verify(secret, eventPayload, signature) returns true for payload provided as Buffer", async () => { + const signatureMatches = await verify( + secret, + Buffer.from(eventPayload), + signature, + ); + expect(signatureMatches).toBe(true); + }); + + test("verify(secret, eventPayload, signature) returns true for payload and secret provided as Buffer", async () => { + const signatureMatches = await verify( + Buffer.from(secret), + Buffer.from(eventPayload), + signature, + ); + expect(signatureMatches).toBe(true); + }); + test("verify(secret, eventPayload, signature) returns false for incorrect signature", async () => { const signatureMatches = await verify( secret, From ba00c675f76951101954af1b3fc087ee2d653d49 Mon Sep 17 00:00:00 2001 From: Aras Abbasi Date: Sun, 3 Dec 2023 20:08:02 +0100 Subject: [PATCH 4/4] update readme --- README.md | 21 --------------------- 1 file changed, 21 deletions(-) diff --git a/README.md b/README.md index 641c6020..0f5f8bd1 100644 --- a/README.md +++ b/README.md @@ -71,9 +71,6 @@ const { await sign("mysecret", eventPayloadString); // resolves with a string like "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3" -await sign({ secret: "mysecret", algorithm: "sha1" }, eventPayloadString); -// resolves with a string like "sha1=d03207e4b030cf234e3447bac4d93add4c6643d8" - await verify("mysecret", eventPayloadString, "sha256=486d27..."); // resolves with true or false @@ -87,7 +84,6 @@ await verifyWithFallback("mysecret", eventPayloadString, "sha256=486d27...", ["o ```js await sign(secret, eventPayloadString); -await sign({ secret, algorithm }, eventPayloadString); ``` @@ -103,23 +99,6 @@ await sign({ secret, algorithm }, eventPayloadString); Secret as configured in GitHub Settings. - - - -
- - algorithm - - - (String) - - - -Algorithm to calculate signature. Can be set to `sha1` or `sha256`. `sha1` is supported for legacy reasons. GitHub Enterprise Server 2.22 and older do not send the `X-Hub-Signature-256` header. Defaults to `sha256`. - -Learn more at [Validating payloads from GitHub](https://docs.github.com/en/developers/webhooks-and-events/securing-your-webhooks#validating-payloads-from-github) - -