sa-kws-node-sdk - npm Package Compare versions

Comparing version 1.1.6 to 1.1.7

lib/kwsSdk.js

@@ -331,5 +331,15 @@ 'use strict';
 // validate if the call is coming from KWS API
-KwsSdk.prototype.validWebhookSignature = function(secretKey) {
+KwsSdk.prototype.validWebhookSignature = function(secretKey, url) {
     var self = this;
 
+    function calculateSignature(data) {
+      var dataToSign = JSON.stringify({
+        secretKey: secretKey,
+        url: url,
+        data: data
+      });
+
+      return crypto.createHmac('sha256', secretKey).update(dataToSign).digest('hex');
+    }
+
     return function(req, res, next) {
@@ -348,13 +358,4 @@ var signature = req.headers['x-kwsapi-signature'];
         } else {
-            var signedData = req.originalUrl;
+            var currentSignature = calculateSignature(data);
 
-            for(var key in data) {
-                signedData += key;
-                signedData += data[key];
-            }
-
-            signedData += secretKey;
-
-            var currentSignature = crypto.createHmac('sha1', secretKey).update(signedData).digest('hex').toString('base64');
-
             if (currentSignature !== signature) {
@@ -361,0 +362,0 @@ res.sendStatus(401);

package.json

 {
   "name": "sa-kws-node-sdk",
-  "version": "1.1.6",
+  "version": "1.1.7",
   "description": "KWS Node App SDK",
@@ -5,0 +5,0 @@ "main": "./lib/kwsSdk.js",

test/kwsSdk.js

@@ -36,13 +36,10 @@ /* globals describe, it, beforeEach, afterEach */
 
-    function generateWebhookSignature(originalUrl, data, secretKey) {
-        var signedData = originalUrl;
+    function generateWebhookSignature(secretKey, url, data) {
+        const dataToSign = JSON.stringify({
+          secretKey,
+          url,
+          data,
+        });
 
-        for(var key in data) {
-            signedData += key;
-            signedData += data[key];
-        }
-
-        signedData += secretKey;
-
-        return crypto.createHmac('sha1', secretKey).update(signedData).digest('hex').toString('base64');
+        return crypto.createHmac('sha256', secretKey).update(dataToSign).digest('hex');
     }
@@ -550,3 +547,4 @@
             var secretKey = 'secretTestKey';
-            var middleware = kwsSdk.validWebhookSignature(secretKey);
+            var url = 'https://test.example.com/webhook/endpoint';
+            var middleware = kwsSdk.validWebhookSignature(secretKey, url);
             var next = function(){
@@ -563,3 +561,2 @@ should(true).eql(false);
             var req = {
-                originalUrl: '/webhook/endpoint',
                 body: {
@@ -582,3 +579,3 @@ permissions: {
             //now with a valid signature
-            req.headers['x-kwsapi-signature'] = generateWebhookSignature(req.originalUrl, req.body, secretKey);
+            req.headers['x-kwsapi-signature'] = generateWebhookSignature(secretKey, url, req.body);
             res.sendStatus = function(){
@@ -585,0 +582,0 @@ should(true).eql(false);

No alert changes

Improved metrics

Lines of code

1712

increased by0.06%

Worsened metrics

Total package byte prevSize

66705

decreased by-0.16%

No dependency changes