feat: v5 (#236)

BREAKING CHANGE: output ESM instead of CommonJS BREAKING CHANGE: remove SHA1 support BREAKING CHANGE: The `verify()` and `sign()` methods no longer accept an options object
octokit · Feb 23, 2024 · fead924 · fead924
1 parent 6b1d989
commit fead924
Show file tree

Hide file tree

Showing 13 changed files with 45 additions and 171 deletions.
diff --git a/README.md b/README.md
@@ -56,11 +56,7 @@ Node
 Install with `npm install @octokit/core @octokit/webhooks-methods`
 
 ```js
-const {
- sign,
- verify,
- verifyWithFallback,
-} = require("@octokit/webhooks-methods");
+import { sign, verify, verifyWithFallback } from "@octokit/webhooks-methods";
 ```
 
 </td></tr>

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -3,6 +3,7 @@
  "publishConfig": {
  "access": "public"
  },
+ "type": "module",
  "version": "0.0.0-development",
  "description": "Methods to handle GitHub Webhook requests",
  "scripts": {
@@ -11,7 +12,7 @@
  "lint:fix": "prettier --write '{src,test,scripts}/**/*' README.md package.json",
  "pretest": "npm run -s lint",
  "test": "npm run -s test:node && npm run -s test:web",
- "test:node": "jest --coverage",
+ "test:node": "NODE_OPTIONS=\"$NODE_OPTIONS --experimental-vm-modules\" npx jest --coverage",
  "test:web": "npm run test:deno && npm run test:browser",
  "pretest:web": "npm run -s build",
  "test:deno": "cd test/deno && deno test",
@@ -27,7 +28,7 @@
  "author": "Gregor Martynus (https://dev.to/gr2m)",
  "license": "MIT",
  "devDependencies": {
- "@octokit/tsconfig": "^2.0.0",
+ "@octokit/tsconfig": "^3.0.0",
  "@types/jest": "^29.0.0",
  "@types/node": "^20.0.0",
  "esbuild": "^0.20.0",
@@ -41,11 +42,15 @@
  "typescript": "^5.0.0"
  },
  "jest": {
+ "extensionsToTreatAsEsm": [
+ ".ts"
+ ],
  "transform": {
  "^.+\\.(ts|tsx)$": [
  "ts-jest",
  {
- "tsconfig": "test/tsconfig.test.json"
+ "tsconfig": "test/tsconfig.test.json",
+ "useESM": true
  }
  ]
  },

diff --git a/scripts/build.mjs b/scripts/build.mjs
@@ -32,7 +32,7 @@ async function main() {
  bundle: true,
  platform: "node",
  target: "node18",
- format: "cjs",
+ format: "esm",
  ...sharedOptions,
  }),
  // Build an ESM browser bundle
@@ -56,16 +56,29 @@ async function main() {
  delete pkg.scripts;
  delete pkg.prettier;
  delete pkg.release;
+ delete pkg.jest;
  await writeFile(
  "pkg/package.json",
  JSON.stringify(
  {
  ...pkg,
  files: ["dist-*/**"],
- main: "dist-node/index.js",
- browser: "dist-web/index.js",
- types: "dist-types/index.d.ts",
- module: "dist-src/index.js",
+ exports: {
+ ".": {
+ node: {
+ types: "./dist-types/index.d.ts",
+ import: "./dist-node/index.js",
+ },
+ browser: {
+ types: "./dist-types/web.d.ts",
+ import: "./dist-web/index.js",
+ },
+ default: {
+ types: "./dist-types/index.d.ts",
+ import: "./dist-node/index.js",
+ },
+ },
+ },
  sideEffects: false,
  },
  null,

diff --git a/src/node/sign.ts b/src/node/sign.ts
@@ -1,19 +1,7 @@
 import { createHmac } from "node:crypto";
-import { Algorithm, type SignOptions } from "../types.js";
 import { VERSION } from "../version.js";
 
-export async function sign(
- options: SignOptions | string,
- payload: string,
-): Promise<string> {
- const { secret, algorithm } =
- typeof options === "object"
- ? {
- secret: options.secret,
- algorithm: options.algorithm || Algorithm.SHA256,
- }
- : { secret: options, algorithm: Algorithm.SHA256 };
-
+export async function sign(secret: string, payload: string): Promise<string> {
  if (!secret || !payload) {
  throw new TypeError(
  "[@octokit/webhooks-methods] secret & payload required for sign()",
@@ -24,11 +12,7 @@ export async function sign(
  throw new TypeError("[@octokit/webhooks-methods] payload must be a string");
  }
 
- if (!Object.values(Algorithm).includes(algorithm as Algorithm)) {
- throw new TypeError(
- `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha1' or 'sha256'`,
- );
- }
+ const algorithm = "sha256";
 
  return `${algorithm}=${createHmac(algorithm, secret)
  .update(payload)

diff --git a/src/node/verify.ts b/src/node/verify.ts
@@ -3,7 +3,6 @@ import { Buffer } from "node:buffer";
 
 import { sign } from "./sign.js";
 import { VERSION } from "../version.js";
-import { getAlgorithm } from "../utils.js";
 
 export async function verify(
  secret: string,
@@ -23,11 +22,8 @@ export async function verify(
  }
 
  const signatureBuffer = Buffer.from(signature);
- const algorithm = getAlgorithm(signature);
 
- const verificationBuffer = Buffer.from(
- await sign({ secret, algorithm }, eventPayload),
- );
+ const verificationBuffer = Buffer.from(await sign(secret, eventPayload));
 
  if (signatureBuffer.length !== verificationBuffer.length) {
  return false;

diff --git a/src/types.ts b/src/types.ts
diff --git a/src/utils.ts b/src/utils.ts
diff --git a/src/web.ts b/src/web.ts
@@ -1,6 +1,3 @@
-import { Algorithm, type AlgorithmLike, type SignOptions } from "./types.js";
-import { getAlgorithm } from "./utils.js";
-
 const enc = new TextEncoder();
 
 function hexToUInt8Array(string: string) {
@@ -21,39 +18,22 @@ function UInt8ArrayToHex(signature: ArrayBuffer) {
  .join("");
 }
 
-function getHMACHashName(algorithm: AlgorithmLike) {
- return (
- {
- [Algorithm.SHA1]: "SHA-1",
- [Algorithm.SHA256]: "SHA-256",
- } as { [key in Algorithm]: string }
- )[algorithm];
-}
-
-async function importKey(secret: string, algorithm: AlgorithmLike) {
+async function importKey(secret: string) {
  // ref: https://developer.mozilla.org/en-US/docs/Web/API/HmacImportParams
  return crypto.subtle.importKey(
  "raw", // raw format of the key - should be Uint8Array
  enc.encode(secret),
  {
  // algorithm details
  name: "HMAC",
- hash: { name: getHMACHashName(algorithm) },
+ hash: { name: "SHA-256" },
  },
  false, // export = false
  ["sign", "verify"], // what this key can do
  );
 }
 
-export async function sign(options: SignOptions | string, payload: string) {
- const { secret, algorithm } =
- typeof options === "object"
- ? {
- secret: options.secret,
- algorithm: options.algorithm || Algorithm.SHA256,
- }
- : { secret: options, algorithm: Algorithm.SHA256 };
-
+export async function sign(secret: string, payload: string): Promise<string> {
  if (!secret || !payload) {
  throw new TypeError(
  "[@octokit/webhooks-methods] secret & payload required for sign()",
@@ -64,15 +44,10 @@ export async function sign(options: SignOptions | string, payload: string) {
  throw new TypeError("[@octokit/webhooks-methods] payload must be a string");
  }
 
- if (!Object.values(Algorithm).includes(algorithm as Algorithm)) {
- throw new TypeError(
- `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha1' or 'sha256'`,
- );
- }
-
+ const algorithm = "sha256";
  const signature = await crypto.subtle.sign(
  "HMAC",
- await importKey(secret, algorithm),
+ await importKey(secret),
  enc.encode(payload),
  );
 
@@ -96,10 +71,10 @@ export async function verify(
  );
  }
 
- const algorithm = getAlgorithm(signature);
+ const algorithm = "sha256";
  return await crypto.subtle.verify(
  "HMAC",
- await importKey(secret, algorithm),
+ await importKey(secret),
  hexToUInt8Array(signature.replace(`${algorithm}=`, "")),
  enc.encode(eventPayload),
  );

diff --git a/test/browser-test.js b/test/browser-test.js
@@ -1,7 +1,7 @@
-const { strictEqual } = require("node:assert");
+import { strictEqual } from "node:assert";
 
-const { readFile } = require("node:fs/promises");
-const puppeteer = require("puppeteer");
+import { readFile } from "node:fs/promises";
+import puppeteer from "puppeteer";
 
 runTests();
 

diff --git a/test/sign.test.ts b/test/sign.test.ts
@@ -35,50 +35,14 @@ describe("sign", () => {
  );
  });
 
- test("sign({secret, algorithm}) throws with invalid algorithm", async () => {
- await expect(() =>
- // @ts-expect-error
- sign({ secret, algorithm: "sha2" }, JSON.stringify(eventPayload)),
- ).rejects.toThrow(
- "[@octokit/webhooks] Algorithm sha2 is not supported. Must be 'sha1' or 'sha256'",
- );
- });
-
  describe("with eventPayload as string", () => {
- describe("returns expected sha1 signature", () => {
+ describe("returns expected sha256 signature", () => {
  test("sign(secret, eventPayload)", async () => {
  const signature = await sign(secret, JSON.stringify(eventPayload));
  expect(signature).toBe(
  "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3",
  );
  });
-
- test("sign({secret}, eventPayload)", async () => {
- const signature = await sign({ secret }, JSON.stringify(eventPayload));
- expect(signature).toBe(
- "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3",
- );
- });
-
- test("sign({secret, algorithm: 'sha1'}, eventPayload)", async () => {
- const signature = await sign(
- { secret, algorithm: "sha1" },
- JSON.stringify(eventPayload),
- );
- expect(signature).toBe("sha1=d03207e4b030cf234e3447bac4d93add4c6643d8");
- });
- });
-
- describe("returns expected sha256 signature", () => {
- test("sign({secret, algorithm: 'sha256'}, eventPayload)", async () => {
- const signature = await sign(
- { secret, algorithm: "sha256" },
- JSON.stringify(eventPayload),
- );
- expect(signature).toBe(
- "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3",
- );
- });
  });
  });
 

diff --git a/test/tsconfig.test.json b/test/tsconfig.test.json
@@ -3,7 +3,6 @@
  "compilerOptions": {
  "emitDeclarationOnly": false,
  "noEmit": true,
- "verbatimModuleSyntax": false,
  "allowImportingTsExtensions": true
  },
  "include": ["src/**/*"]