@octokit/webhooks
Advanced tools
Comparing version 1.0.0 to 2.0.0
module.exports = createEventHandler | ||
const on = require('./on') | ||
const receive = require('./receive') | ||
const removeListener = require('./remove-listener') | ||
const receive = require('./receive') | ||
const sign = require('../sign') | ||
const verify = require('../verify') | ||
@@ -18,2 +20,4 @@ function createEventHandler (options) { | ||
return { | ||
sign: sign.bind(null, state.secret), | ||
verify: verify.bind(null, state.secret), | ||
on: on.bind(null, state), | ||
@@ -20,0 +24,0 @@ removeListener: removeListener.bind(null, state), |
@@ -5,2 +5,4 @@ # event-handler | ||
🚨 Make sure to _always_ verify that the event request is coming from GitHub itself using the `eventHandler.verify(data, signature)` method. | ||
## Example | ||
@@ -14,6 +16,9 @@ | ||
// put this inside your webhooks route handler | ||
if (!eventHandler.verify(options.data, request.headers['x-github-signature'])) { | ||
throw new Error('Signature does not match event payload & secret') | ||
} | ||
eventHandler.reiceive({ | ||
name: request.headers['X-GitHub-Event'], | ||
data: request.body, | ||
signature: request.headers['X-Hub-Signature'] | ||
name: request.headers['x-github-event'], | ||
data: request.body | ||
}).catch(handleErrorsFromHooks) | ||
@@ -24,4 +29,4 @@ ``` | ||
The `event-handler` API implements [`.reiceive()`](../#webhooksreceive), [`.on()`](../#webhookson) and [`.removeListener()`](../#webhooksremovelistener). | ||
The `event-handler` API implements [`.sign()`](../#webhookssign), [`.verify()`](../#webhooksverify), [`.reiceive()`](../#webhooksreceive), [`.on()`](../#webhookson) and [`.removeListener()`](../#webhooksremovelistener). | ||
Back to [@octokit/webhooks README](..). |
@@ -5,3 +5,2 @@ 'use strict' | ||
const verify = require('../verify') | ||
const wrapErrorHandler = require('./wrap-error-handler') | ||
@@ -27,19 +26,2 @@ | ||
if (!options.signature) { | ||
throw new Error('Event signature not passed') | ||
} | ||
const matchesSignature = verify( | ||
state.secret, | ||
options.data, | ||
options.signature | ||
) | ||
if (!matchesSignature) { | ||
const error = new Error('Signature does not match') | ||
error.status = 400 | ||
return Promise.reject(error) | ||
} | ||
let hooks = [].concat( | ||
@@ -46,0 +28,0 @@ state.hooks[`${options.name}.${options.data.action}`], |
@@ -6,5 +6,2 @@ module.exports = createWebhooksApi | ||
const sign = require('./sign') | ||
const verify = require('./verify') | ||
function createWebhooksApi (options) { | ||
@@ -23,4 +20,4 @@ if (!options) { | ||
return { | ||
sign: sign.bind(null, options.secret), | ||
verify: verify.bind(null, options.secret), | ||
sign: state.eventHandler.sign, | ||
verify: state.eventHandler.verify, | ||
on: state.eventHandler.on, | ||
@@ -27,0 +24,0 @@ removeListener: state.eventHandler.removeListener, |
@@ -52,2 +52,13 @@ module.exports = middleware | ||
const matchesSignature = state.eventHandler.verify( | ||
payload, | ||
signature | ||
) | ||
if (!matchesSignature) { | ||
response.statusCode = 400 | ||
response.end('x-hub-signature does not match event payload and secret') | ||
return | ||
} | ||
state.eventHandler.receive({ | ||
@@ -54,0 +65,0 @@ id: id, |
@@ -1,1 +0,1 @@ | ||
{"name":"@octokit/webhooks","version":"1.0.0","publishConfig":{"access":"public"},"description":"GitHub webhook events toolset for Node.js","main":"index.js","directories":{"lib":"lib","test":"test"},"dependencies":{},"devDependencies":{"axios":"^0.17.1","coveralls":"^3.0.0","debug":"^3.1.0","get-port":"^3.2.0","pify":"^3.0.0","semantic-release":"^9.1.1","simple-mock":"^0.8.0","standard":"^10.0.3","tap":"^10.7.3"},"scripts":{"coverage":"tap --coverage-report=html && open coverage/lcov-report/index.html","coverage:upload":"tap --coverage-report=text-lcov | coveralls","pretest":"standard","test":"tap --100 --coverage 'test/**/*-test.js'","semantic-release":"semantic-release"},"repository":{"type":"git","url":"https://github.com/octokit/webhooks.js.git"},"keywords":[],"author":"Gregor Martynus (https://twitter.com/gr2m)","license":"MIT"} | ||
{"name":"@octokit/webhooks","version":"2.0.0","publishConfig":{"access":"public"},"description":"GitHub webhook events toolset for Node.js","main":"index.js","directories":{"lib":"lib","test":"test"},"dependencies":{},"devDependencies":{"axios":"^0.17.1","coveralls":"^3.0.0","debug":"^3.1.0","get-port":"^3.2.0","pify":"^3.0.0","semantic-release":"^9.1.1","simple-mock":"^0.8.0","standard":"^10.0.3","tap":"^10.7.3"},"scripts":{"coverage":"tap --coverage-report=html && open coverage/lcov-report/index.html","coverage:upload":"tap --coverage-report=text-lcov | coveralls","pretest":"standard","test":"tap --100 --coverage 'test/**/*-test.js'","semantic-release":"semantic-release"},"repository":{"type":"git","url":"https://github.com/octokit/webhooks.js.git"},"keywords":[],"author":"Gregor Martynus (https://twitter.com/gr2m)","license":"MIT"} |
@@ -156,3 +156,3 @@ # @octokit/webhooks | ||
```js | ||
webhooks.receive({name, data, signature}) | ||
webhooks.receive({name, data}) | ||
``` | ||
@@ -190,17 +190,2 @@ | ||
</tr> | ||
<tr> | ||
<td> | ||
<code> | ||
signature | ||
</code> | ||
<em> | ||
String | ||
</em> | ||
</td> | ||
<td> | ||
<strong>Required</strong>. | ||
Passed as <a href="https://developer.github.com/webhooks/#delivery-headers"><code>X-Hub-Signature</code> header</a> | ||
in the webhook request. | ||
</td> | ||
</tr> | ||
</table> | ||
@@ -207,0 +192,0 @@ |
@@ -116,2 +116,32 @@ const http = require('http') | ||
test('POST / with push event payload (no signature)', (t) => { | ||
const api = new Webhooks({secret: 'mysecret'}) | ||
const server = http.createServer(api.middleware) | ||
promisify(server.listen.bind(server))(this.port) | ||
.then(() => { | ||
return axios.post(`http://localhost:${this.port}`, pushEventPayload, { | ||
headers: { | ||
'X-GitHub-Delivery': '123e4567-e89b-12d3-a456-426655440000', | ||
'X-GitHub-Event': 'push' | ||
} | ||
}) | ||
}) | ||
.then(() => { | ||
t.fail('should return a 400') | ||
}) | ||
.catch(error => { | ||
t.is(error.response.status, 400) | ||
}) | ||
.then(() => { | ||
server.close(t.end) | ||
}) | ||
.catch(t.error) | ||
}) | ||
test('POST / with push event payload (invalid signature)', (t) => { | ||
@@ -118,0 +148,0 @@ const api = new Webhooks({secret: 'mysecret'}) |
@@ -30,8 +30,1 @@ const test = require('tap').test | ||
}) | ||
test('options: id, name, data', t => { | ||
t.throws(() => { | ||
receive(state, {id: '123', name: 'foo', data: {}}) | ||
}) | ||
t.end() | ||
}) |
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
60509
1097
655