diff --git a/src/node/sign.ts b/src/node/sign.ts index c04c7b1..b2a606c 100644 --- a/src/node/sign.ts +++ b/src/node/sign.ts @@ -1,24 +1,7 @@ import { createHmac } from "node:crypto"; -import { Algorithm, type SignOptions } from "../types.js"; import { VERSION } from "../version.js"; -export async function sign(secret: string, payload: string): Promise; -export async function sign( - options: SignOptions, - payload: string, -): Promise; -export async function sign( - options: SignOptions | string, - payload: string, -): Promise { - const { secret, algorithm } = - typeof options === "object" - ? { - secret: options.secret, - algorithm: options.algorithm || Algorithm.SHA256, - } - : { secret: options, algorithm: Algorithm.SHA256 }; - +export async function sign(secret: string, payload: string): Promise { if (!secret || !payload) { throw new TypeError( "[@octokit/webhooks-methods] secret & payload required for sign()", @@ -29,11 +12,7 @@ export async function sign( throw new TypeError("[@octokit/webhooks-methods] payload must be a string"); } - if (!Object.values(Algorithm).includes(algorithm as Algorithm)) { - throw new TypeError( - `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha256'`, - ); - } + const algorithm = "sha256"; return `${algorithm}=${createHmac(algorithm, secret) .update(payload) diff --git a/src/node/verify.ts b/src/node/verify.ts index ef1f106..816867d 100644 --- a/src/node/verify.ts +++ b/src/node/verify.ts @@ -22,11 +22,8 @@ export async function verify( } const signatureBuffer = Buffer.from(signature); - const algorithm = "sha256"; - const verificationBuffer = Buffer.from( - await sign({ secret, algorithm }, eventPayload), - ); + const verificationBuffer = Buffer.from(await sign(secret, eventPayload)); if (signatureBuffer.length !== verificationBuffer.length) { return false; diff --git a/src/types.ts b/src/types.ts deleted file mode 100644 index 01b6f7a..0000000 --- a/src/types.ts +++ /dev/null @@ -1,10 +0,0 @@ -export enum Algorithm { - SHA256 = "sha256", -} - -export type AlgorithmLike = Algorithm | "sha256"; - -export type SignOptions = { - secret: string; - algorithm?: AlgorithmLike; -}; diff --git a/src/web.ts b/src/web.ts index 83f1679..dd9d2ac 100644 --- a/src/web.ts +++ b/src/web.ts @@ -1,5 +1,3 @@ -import { Algorithm, type AlgorithmLike, type SignOptions } from "./types.js"; - const enc = new TextEncoder(); function hexToUInt8Array(string: string) { @@ -20,15 +18,7 @@ function UInt8ArrayToHex(signature: ArrayBuffer) { .join(""); } -function getHMACHashName(algorithm: AlgorithmLike) { - return ( - { - [Algorithm.SHA256]: "SHA-256", - } as { [key in Algorithm]: string } - )[algorithm]; -} - -async function importKey(secret: string, algorithm: AlgorithmLike) { +async function importKey(secret: string) { // ref: https://developer.mozilla.org/en-US/docs/Web/API/HmacImportParams return crypto.subtle.importKey( "raw", // raw format of the key - should be Uint8Array @@ -36,27 +26,14 @@ async function importKey(secret: string, algorithm: AlgorithmLike) { { // algorithm details name: "HMAC", - hash: { name: getHMACHashName(algorithm) }, + hash: { name: "sha256" }, }, false, // export = false ["sign", "verify"], // what this key can do ); } -export async function sign(secret: string, payload: string): Promise; -export async function sign( - options: SignOptions, - payload: string, -): Promise; -export async function sign(options: SignOptions | string, payload: string) { - const { secret, algorithm } = - typeof options === "object" - ? { - secret: options.secret, - algorithm: options.algorithm || Algorithm.SHA256, - } - : { secret: options, algorithm: Algorithm.SHA256 }; - +export async function sign(secret: string, payload: string): Promise { if (!secret || !payload) { throw new TypeError( "[@octokit/webhooks-methods] secret & payload required for sign()", @@ -67,15 +44,10 @@ export async function sign(options: SignOptions | string, payload: string) { throw new TypeError("[@octokit/webhooks-methods] payload must be a string"); } - if (!Object.values(Algorithm).includes(algorithm as Algorithm)) { - throw new TypeError( - `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha256'`, - ); - } - + const algorithm = "sha256"; const signature = await crypto.subtle.sign( "HMAC", - await importKey(secret, algorithm), + await importKey(secret), enc.encode(payload), ); @@ -102,7 +74,7 @@ export async function verify( const algorithm = "sha256"; return await crypto.subtle.verify( "HMAC", - await importKey(secret, algorithm), + await importKey(secret), hexToUInt8Array(signature.replace(`${algorithm}=`, "")), enc.encode(eventPayload), ); diff --git a/test/sign.test.ts b/test/sign.test.ts index 6004625..fc73647 100644 --- a/test/sign.test.ts +++ b/test/sign.test.ts @@ -45,32 +45,13 @@ describe("sign", () => { }); describe("with eventPayload as string", () => { - describe("returns expected sha1 signature", () => { + describe("returns expected sha256 signature", () => { test("sign(secret, eventPayload)", async () => { const signature = await sign(secret, JSON.stringify(eventPayload)); expect(signature).toBe( "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3", ); }); - - test("sign({secret}, eventPayload)", async () => { - const signature = await sign({ secret }, JSON.stringify(eventPayload)); - expect(signature).toBe( - "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3", - ); - }); - }); - - describe("returns expected sha256 signature", () => { - test("sign({secret, algorithm: 'sha256'}, eventPayload)", async () => { - const signature = await sign( - { secret, algorithm: "sha256" }, - JSON.stringify(eventPayload), - ); - expect(signature).toBe( - "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3", - ); - }); }); });