🚀 Big News: Socket Acquires Coana to Bring Reachability Analysis to Every Appsec Team.Learn more
Socket
Book a DemoInstallSign in
Socket
Book a DemoInstallSign in

@octokit/webhooks-methods

Package Overview
Dependencies
Maintainers
4
Versions
18
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@octokit/webhooks-methods - npm Package Compare versions

Comparing version

3.0.2
to
3.0.3

118

dist-node/index.js

@@ -1,63 +0,111 @@

'use strict';
"use strict";
var __defProp = Object.defineProperty;
var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
var __getOwnPropNames = Object.getOwnPropertyNames;
var __hasOwnProp = Object.prototype.hasOwnProperty;
var __export = (target, all) => {
for (var name in all)
__defProp(target, name, { get: all[name], enumerable: true });
};
var __copyProps = (to, from, except, desc) => {
if (from && typeof from === "object" || typeof from === "function") {
for (let key of __getOwnPropNames(from))
if (!__hasOwnProp.call(to, key) && key !== except)
__defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
}
return to;
};
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
Object.defineProperty(exports, '__esModule', { value: true });
// pkg/dist-src/index.js
var dist_src_exports = {};
__export(dist_src_exports, {
sign: () => sign,
verify: () => verify,
verifyWithFallback: () => verifyWithFallback
});
module.exports = __toCommonJS(dist_src_exports);
var crypto = require('crypto');
var buffer = require('buffer');
// pkg/dist-src/node/sign.js
var import_crypto = require("crypto");
var Algorithm;
(function (Algorithm) {
Algorithm["SHA1"] = "sha1";
Algorithm["SHA256"] = "sha256";
})(Algorithm || (Algorithm = {}));
// pkg/dist-src/types.js
var Algorithm = /* @__PURE__ */ ((Algorithm2) => {
Algorithm2["SHA1"] = "sha1";
Algorithm2["SHA256"] = "sha256";
return Algorithm2;
})(Algorithm || {});
const VERSION = "3.0.2";
// pkg/dist-src/version.js
var VERSION = "3.0.3";
// pkg/dist-src/node/sign.js
async function sign(options, payload) {
const {
secret,
algorithm
} = typeof options === "object" ? {
const { secret, algorithm } = typeof options === "object" ? {
secret: options.secret,
algorithm: options.algorithm || Algorithm.SHA256
} : {
secret: options,
algorithm: Algorithm.SHA256
};
} : { secret: options, algorithm: Algorithm.SHA256 };
if (!secret || !payload) {
throw new TypeError("[@octokit/webhooks-methods] secret & payload required for sign()");
throw new TypeError(
"[@octokit/webhooks-methods] secret & payload required for sign()"
);
}
if (!Object.values(Algorithm).includes(algorithm)) {
throw new TypeError(`[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha1' or 'sha256'`);
throw new TypeError(
`[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha1' or 'sha256'`
);
}
return `${algorithm}=${crypto.createHmac(algorithm, secret).update(payload).digest("hex")}`;
return `${algorithm}=${(0, import_crypto.createHmac)(algorithm, secret).update(payload).digest("hex")}`;
}
sign.VERSION = VERSION;
const getAlgorithm = signature => {
// pkg/dist-src/node/verify.js
var import_crypto2 = require("crypto");
var import_buffer = require("buffer");
// pkg/dist-src/utils.js
var getAlgorithm = (signature) => {
return signature.startsWith("sha256=") ? "sha256" : "sha1";
};
// pkg/dist-src/node/verify.js
async function verify(secret, eventPayload, signature) {
if (!secret || !eventPayload || !signature) {
throw new TypeError("[@octokit/webhooks-methods] secret, eventPayload & signature required");
throw new TypeError(
"[@octokit/webhooks-methods] secret, eventPayload & signature required"
);
}
const signatureBuffer = buffer.Buffer.from(signature);
const signatureBuffer = import_buffer.Buffer.from(signature);
const algorithm = getAlgorithm(signature);
const verificationBuffer = buffer.Buffer.from(await sign({
secret,
algorithm
}, eventPayload));
const verificationBuffer = import_buffer.Buffer.from(
await sign({ secret, algorithm }, eventPayload)
);
if (signatureBuffer.length !== verificationBuffer.length) {
return false;
}
// constant time comparison to prevent timing attachs
// https://stackoverflow.com/a/31096242/206879
// https://en.wikipedia.org/wiki/Timing_attack
return crypto.timingSafeEqual(signatureBuffer, verificationBuffer);
return (0, import_crypto2.timingSafeEqual)(signatureBuffer, verificationBuffer);
}
verify.VERSION = VERSION;
exports.sign = sign;
exports.verify = verify;
//# sourceMappingURL=index.js.map
// pkg/dist-src/index.js
async function verifyWithFallback(secret, payload, signature, additionalSecrets) {
const firstPass = await verify(secret, payload, signature);
if (firstPass) {
return true;
}
if (additionalSecrets !== void 0) {
for (const s of additionalSecrets) {
const v = await verify(s, payload, signature);
if (v) {
return v;
}
}
}
return false;
}
// Annotate the CommonJS export names for ESM import in node:
0 && (module.exports = {
sign,
verify,
verifyWithFallback
});

24

dist-src/index.js

@@ -1,2 +0,22 @@

export { sign } from "./node/sign";
export { verify } from "./node/verify";
import { sign } from "./node/sign";
import { verify } from "./node/verify";
async function verifyWithFallback(secret, payload, signature, additionalSecrets) {
const firstPass = await verify(secret, payload, signature);
if (firstPass) {
return true;
}
if (additionalSecrets !== void 0) {
for (const s of additionalSecrets) {
const v = await verify(s, payload, signature);
if (v) {
return v;
}
}
}
return false;
}
export {
sign,
verify,
verifyWithFallback
};

35

dist-src/node/sign.js
import { createHmac } from "crypto";
import { Algorithm } from "../types";
import { VERSION } from "../version";
export async function sign(options, payload) {
const { secret, algorithm } = typeof options === "object"
? {
secret: options.secret,
algorithm: options.algorithm || Algorithm.SHA256,
}
: { secret: options, algorithm: Algorithm.SHA256 };
if (!secret || !payload) {
throw new TypeError("[@octokit/webhooks-methods] secret & payload required for sign()");
}
if (!Object.values(Algorithm).includes(algorithm)) {
throw new TypeError(`[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha1' or 'sha256'`);
}
return `${algorithm}=${createHmac(algorithm, secret)
.update(payload)
.digest("hex")}`;
async function sign(options, payload) {
const { secret, algorithm } = typeof options === "object" ? {
secret: options.secret,
algorithm: options.algorithm || Algorithm.SHA256
} : { secret: options, algorithm: Algorithm.SHA256 };
if (!secret || !payload) {
throw new TypeError(
"[@octokit/webhooks-methods] secret & payload required for sign()"
);
}
if (!Object.values(Algorithm).includes(algorithm)) {
throw new TypeError(
`[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha1' or 'sha256'`
);
}
return `${algorithm}=${createHmac(algorithm, secret).update(payload).digest("hex")}`;
}
sign.VERSION = VERSION;
export {
sign
};

32

dist-src/node/verify.js

@@ -6,17 +6,21 @@ import { timingSafeEqual } from "crypto";

import { getAlgorithm } from "../utils";
export async function verify(secret, eventPayload, signature) {
if (!secret || !eventPayload || !signature) {
throw new TypeError("[@octokit/webhooks-methods] secret, eventPayload & signature required");
}
const signatureBuffer = Buffer.from(signature);
const algorithm = getAlgorithm(signature);
const verificationBuffer = Buffer.from(await sign({ secret, algorithm }, eventPayload));
if (signatureBuffer.length !== verificationBuffer.length) {
return false;
}
// constant time comparison to prevent timing attachs
// https://stackoverflow.com/a/31096242/206879
// https://en.wikipedia.org/wiki/Timing_attack
return timingSafeEqual(signatureBuffer, verificationBuffer);
async function verify(secret, eventPayload, signature) {
if (!secret || !eventPayload || !signature) {
throw new TypeError(
"[@octokit/webhooks-methods] secret, eventPayload & signature required"
);
}
const signatureBuffer = Buffer.from(signature);
const algorithm = getAlgorithm(signature);
const verificationBuffer = Buffer.from(
await sign({ secret, algorithm }, eventPayload)
);
if (signatureBuffer.length !== verificationBuffer.length) {
return false;
}
return timingSafeEqual(signatureBuffer, verificationBuffer);
}
verify.VERSION = VERSION;
export {
verify
};

13

dist-src/types.js

@@ -1,5 +0,8 @@

export var Algorithm;
(function (Algorithm) {
Algorithm["SHA1"] = "sha1";
Algorithm["SHA256"] = "sha256";
})(Algorithm || (Algorithm = {}));
var Algorithm = /* @__PURE__ */ ((Algorithm2) => {
Algorithm2["SHA1"] = "sha1";
Algorithm2["SHA256"] = "sha256";
return Algorithm2;
})(Algorithm || {});
export {
Algorithm
};

7

dist-src/utils.js

@@ -1,3 +0,6 @@

export const getAlgorithm = (signature) => {
return signature.startsWith("sha256=") ? "sha256" : "sha1";
const getAlgorithm = (signature) => {
return signature.startsWith("sha256=") ? "sha256" : "sha1";
};
export {
getAlgorithm
};

5

dist-src/version.js

@@ -1,1 +0,4 @@

export const VERSION = "3.0.2";
const VERSION = "3.0.3";
export {
VERSION
};

106

dist-src/web.js

@@ -5,54 +5,72 @@ import { Algorithm } from "./types";

function hexToUInt8Array(string) {
// convert string to pairs of 2 characters
const pairs = string.match(/[\dA-F]{2}/gi);
// convert the octets to integers
const integers = pairs.map(function (s) {
return parseInt(s, 16);
});
return new Uint8Array(integers);
const pairs = string.match(/[\dA-F]{2}/gi);
const integers = pairs.map(function(s) {
return parseInt(s, 16);
});
return new Uint8Array(integers);
}
function UInt8ArrayToHex(signature) {
return Array.prototype.map
.call(new Uint8Array(signature), (x) => x.toString(16).padStart(2, "0"))
.join("");
return Array.prototype.map.call(new Uint8Array(signature), (x) => x.toString(16).padStart(2, "0")).join("");
}
function getHMACHashName(algorithm) {
return {
[Algorithm.SHA1]: "SHA-1",
[Algorithm.SHA256]: "SHA-256",
}[algorithm];
return {
[Algorithm.SHA1]: "SHA-1",
[Algorithm.SHA256]: "SHA-256"
}[algorithm];
}
async function importKey(secret, algorithm) {
// ref: https://developer.mozilla.org/en-US/docs/Web/API/HmacImportParams
return crypto.subtle.importKey("raw", // raw format of the key - should be Uint8Array
enc.encode(secret), {
// algorithm details
name: "HMAC",
hash: { name: getHMACHashName(algorithm) },
}, false, // export = false
["sign", "verify"] // what this key can do
return crypto.subtle.importKey(
"raw",
// raw format of the key - should be Uint8Array
enc.encode(secret),
{
// algorithm details
name: "HMAC",
hash: { name: getHMACHashName(algorithm) }
},
false,
// export = false
["sign", "verify"]
// what this key can do
);
}
async function sign(options, payload) {
const { secret, algorithm } = typeof options === "object" ? {
secret: options.secret,
algorithm: options.algorithm || Algorithm.SHA256
} : { secret: options, algorithm: Algorithm.SHA256 };
if (!secret || !payload) {
throw new TypeError(
"[@octokit/webhooks-methods] secret & payload required for sign()"
);
}
if (!Object.values(Algorithm).includes(algorithm)) {
throw new TypeError(
`[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha1' or 'sha256'`
);
}
const signature = await crypto.subtle.sign(
"HMAC",
await importKey(secret, algorithm),
enc.encode(payload)
);
return `${algorithm}=${UInt8ArrayToHex(signature)}`;
}
export async function sign(options, payload) {
const { secret, algorithm } = typeof options === "object"
? {
secret: options.secret,
algorithm: options.algorithm || Algorithm.SHA256,
}
: { secret: options, algorithm: Algorithm.SHA256 };
if (!secret || !payload) {
throw new TypeError("[@octokit/webhooks-methods] secret & payload required for sign()");
}
if (!Object.values(Algorithm).includes(algorithm)) {
throw new TypeError(`[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha1' or 'sha256'`);
}
const signature = await crypto.subtle.sign("HMAC", await importKey(secret, algorithm), enc.encode(payload));
return `${algorithm}=${UInt8ArrayToHex(signature)}`;
async function verify(secret, eventPayload, signature) {
if (!secret || !eventPayload || !signature) {
throw new TypeError(
"[@octokit/webhooks-methods] secret, eventPayload & signature required"
);
}
const algorithm = getAlgorithm(signature);
return await crypto.subtle.verify(
"HMAC",
await importKey(secret, algorithm),
hexToUInt8Array(signature.replace(`${algorithm}=`, "")),
enc.encode(eventPayload)
);
}
export async function verify(secret, eventPayload, signature) {
if (!secret || !eventPayload || !signature) {
throw new TypeError("[@octokit/webhooks-methods] secret, eventPayload & signature required");
}
const algorithm = getAlgorithm(signature);
return await crypto.subtle.verify("HMAC", await importKey(secret, algorithm), hexToUInt8Array(signature.replace(`${algorithm}=`, "")), enc.encode(eventPayload));
}
export {
sign,
verify
};

4

dist-types/index.d.ts
export { sign } from "./node/sign";
export { verify } from "./node/verify";
import { verify } from "./node/verify";
export { verify };
export declare function verifyWithFallback(secret: string, payload: string, signature: string, additionalSecrets: undefined | string[]): Promise<any>;

2

dist-types/node/sign.d.ts

@@ -1,2 +0,2 @@

import { SignOptions } from "../types";
import { type SignOptions } from "../types";
export declare function sign(options: SignOptions | string, payload: string): Promise<string>;

@@ -3,0 +3,0 @@ export declare namespace sign {

2

dist-types/version.d.ts

@@ -1,1 +0,1 @@

export declare const VERSION = "3.0.2";
export declare const VERSION = "3.0.3";

2

dist-types/web.d.ts

@@ -1,3 +0,3 @@

import { SignOptions } from "./types";
import { type SignOptions } from "./types";
export declare function sign(options: SignOptions | string, payload: string): Promise<string>;
export declare function verify(secret: string, eventPayload: string, signature: string): Promise<boolean>;

124

dist-web/index.js

@@ -1,68 +0,86 @@

var Algorithm;
(function (Algorithm) {
Algorithm["SHA1"] = "sha1";
Algorithm["SHA256"] = "sha256";
})(Algorithm || (Algorithm = {}));
// pkg/dist-src/types.js
var Algorithm = /* @__PURE__ */ ((Algorithm2) => {
Algorithm2["SHA1"] = "sha1";
Algorithm2["SHA256"] = "sha256";
return Algorithm2;
})(Algorithm || {});
const getAlgorithm = (signature) => {
return signature.startsWith("sha256=") ? "sha256" : "sha1";
// pkg/dist-src/utils.js
var getAlgorithm = (signature) => {
return signature.startsWith("sha256=") ? "sha256" : "sha1";
};
const enc = new TextEncoder();
// pkg/dist-src/web.js
var enc = new TextEncoder();
function hexToUInt8Array(string) {
// convert string to pairs of 2 characters
const pairs = string.match(/[\dA-F]{2}/gi);
// convert the octets to integers
const integers = pairs.map(function (s) {
return parseInt(s, 16);
});
return new Uint8Array(integers);
const pairs = string.match(/[\dA-F]{2}/gi);
const integers = pairs.map(function(s) {
return parseInt(s, 16);
});
return new Uint8Array(integers);
}
function UInt8ArrayToHex(signature) {
return Array.prototype.map
.call(new Uint8Array(signature), (x) => x.toString(16).padStart(2, "0"))
.join("");
return Array.prototype.map.call(new Uint8Array(signature), (x) => x.toString(16).padStart(2, "0")).join("");
}
function getHMACHashName(algorithm) {
return {
[Algorithm.SHA1]: "SHA-1",
[Algorithm.SHA256]: "SHA-256",
}[algorithm];
return {
[Algorithm.SHA1]: "SHA-1",
[Algorithm.SHA256]: "SHA-256"
}[algorithm];
}
async function importKey(secret, algorithm) {
// ref: https://developer.mozilla.org/en-US/docs/Web/API/HmacImportParams
return crypto.subtle.importKey("raw", // raw format of the key - should be Uint8Array
enc.encode(secret), {
// algorithm details
name: "HMAC",
hash: { name: getHMACHashName(algorithm) },
}, false, // export = false
["sign", "verify"] // what this key can do
);
return crypto.subtle.importKey(
"raw",
// raw format of the key - should be Uint8Array
enc.encode(secret),
{
// algorithm details
name: "HMAC",
hash: { name: getHMACHashName(algorithm) }
},
false,
// export = false
["sign", "verify"]
// what this key can do
);
}
async function sign(options, payload) {
const { secret, algorithm } = typeof options === "object"
? {
secret: options.secret,
algorithm: options.algorithm || Algorithm.SHA256,
}
: { secret: options, algorithm: Algorithm.SHA256 };
if (!secret || !payload) {
throw new TypeError("[@octokit/webhooks-methods] secret & payload required for sign()");
}
if (!Object.values(Algorithm).includes(algorithm)) {
throw new TypeError(`[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha1' or 'sha256'`);
}
const signature = await crypto.subtle.sign("HMAC", await importKey(secret, algorithm), enc.encode(payload));
return `${algorithm}=${UInt8ArrayToHex(signature)}`;
const { secret, algorithm } = typeof options === "object" ? {
secret: options.secret,
algorithm: options.algorithm || Algorithm.SHA256
} : { secret: options, algorithm: Algorithm.SHA256 };
if (!secret || !payload) {
throw new TypeError(
"[@octokit/webhooks-methods] secret & payload required for sign()"
);
}
if (!Object.values(Algorithm).includes(algorithm)) {
throw new TypeError(
`[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha1' or 'sha256'`
);
}
const signature = await crypto.subtle.sign(
"HMAC",
await importKey(secret, algorithm),
enc.encode(payload)
);
return `${algorithm}=${UInt8ArrayToHex(signature)}`;
}
async function verify(secret, eventPayload, signature) {
if (!secret || !eventPayload || !signature) {
throw new TypeError("[@octokit/webhooks-methods] secret, eventPayload & signature required");
}
const algorithm = getAlgorithm(signature);
return await crypto.subtle.verify("HMAC", await importKey(secret, algorithm), hexToUInt8Array(signature.replace(`${algorithm}=`, "")), enc.encode(eventPayload));
if (!secret || !eventPayload || !signature) {
throw new TypeError(
"[@octokit/webhooks-methods] secret, eventPayload & signature required"
);
}
const algorithm = getAlgorithm(signature);
return await crypto.subtle.verify(
"HMAC",
await importKey(secret, algorithm),
hexToUInt8Array(signature.replace(`${algorithm}=`, "")),
enc.encode(eventPayload)
);
}
export { sign, verify };
//# sourceMappingURL=index.js.map
export {
sign,
verify
};

59

package.json
{
"name": "@octokit/webhooks-methods",
"publishConfig": {
"access": "public"
},
"version": "3.0.3",
"description": "Methods to handle GitHub Webhook requests",
"version": "3.0.2",
"license": "MIT",
"files": [
"dist-*/",
"bin/"
],
"pika": true,
"sideEffects": false,
"repository": "github:octokit/webhooks-methods.js",
"keywords": [

@@ -18,31 +15,45 @@ "github",

],
"repository": "github:octokit/webhooks-methods.js",
"dependencies": {},
"peerDependencies": {},
"author": "Gregor Martynus (https://dev.to/gr2m)",
"license": "MIT",
"devDependencies": {
"@gr2m/pika-plugin-build-web": "^0.6.0-issue-84.2",
"@octokit/tsconfig": "^1.0.2",
"@pika/pack": "^0.5.0",
"@pika/plugin-build-node": "^0.9.2",
"@pika/plugin-ts-standard-pkg": "^0.9.2",
"@types/jest": "^29.0.0",
"@types/node": "^18.0.0",
"esbuild": "^0.17.19",
"glob": "^10.2.6",
"jest": "^29.0.0",
"prettier": "2.8.2",
"puppeteer": "^19.0.0",
"semantic-release": "^20.0.0",
"prettier": "2.8.8",
"puppeteer": "^20.0.0",
"semantic-release": "^21.0.0",
"semantic-release-plugin-update-version-in-files": "^1.1.0",
"ts-jest": "^29.0.0",
"typescript": "^4.2.4"
"typescript": "^5.0.0"
},
"jest": {
"preset": "ts-jest",
"coverageThreshold": {
"global": {
"statements": 100,
"branches": 100,
"functions": 100,
"lines": 100
}
},
"testPathIgnorePatterns": [
"<rootDir>/node_modules/",
"<rootDir>/test/deno/"
]
},
"engines": {
"node": ">= 14"
},
"publishConfig": {
"access": "public"
},
"source": "dist-src/index.js",
"files": [
"dist-*/**"
],
"main": "dist-node/index.js",
"browser": "dist-web/index.js",
"types": "dist-types/index.d.ts",
"main": "dist-node/index.js",
"module": "dist-web/index.js"
"module": "dist-src/index.js",
"sideEffects": false
}

83

README.md

@@ -17,2 +17,3 @@ # webhooks-methods.js

- [`verify()`](#verify)
- [`verifyWithFallback()`](#verifyWithFallback)
- [Contributing](#contributing)

@@ -44,2 +45,3 @@ - [License](#license)

verify,
verifyWithFallback,
} from "https://cdn.skypack.dev/@octokit/webhooks-methods";

@@ -59,3 +61,7 @@ </script>

```js
const { sign, verify } = require("@octokit/webhooks-methods");
const {
sign,
verify,
verifyWithFallback,
} = require("@octokit/webhooks-methods");
```

@@ -76,2 +82,5 @@

// resolves with true or false
await verifyWithFallback("mysecret", eventPayloadString, "sha256=486d27...", ["oldsecret", ...]);
// resolves with true or false
```

@@ -191,2 +200,74 @@

### `verifyWithFallback()`
```js
await verifyWithFallback(
secret,
eventPayloadString,
signature,
additionalSecrets
);
```
<table width="100%">
<tr>
<td>
<code>
secret
</code>
<em>(String)</em>
</td>
<td>
<strong>Required.</strong>
Secret as configured in GitHub Settings.
</td>
</tr>
<tr>
<td>
<code>
eventPayloadString
</code>
<em>
(String)
</em>
</td>
<td>
<strong>Required.</strong>
Webhook request payload as received from GitHub.<br>
<br>
If you have only access to an already parsed object, stringify it with <code>JSON.stringify(payload)</code>
</td>
</tr>
<tr>
<td>
<code>
signature
</code>
<em>
(String)
</em>
</td>
<td>
<strong>Required.</strong>
Signature string as calculated by <code><a href="../sign">sign()</a></code>.
</td>
</tr>
<tr>
<td>
<code>
additionalSecrets
</code>
<em>
(Array of String)
</em>
</td>
<td>
If given, each additional secret will be tried in turn.
</td>
</tr>
</table>
This is a thin wrapper around [`verify()`](#verify) that is intended to ease callers' support for key rotation.
Resolves with `true` or `false`. Throws error if a required argument is missing.
## Contributing

@@ -193,0 +274,0 @@ 

dist-node/index.js.map

Sorry, the diff of this file is not supported yet

dist-web/index.js.map

Sorry, the diff of this file is not supported yet