README
verify-github-webhook-secret
Verifies the secret that is sent in GitHub Webhooks. The secret
will be used as the key to generate the HMAC hex digest value in the X-Hub-Signature
header.
Installation 🏗
$ npm install --save verify-github-webhook-secret
or if you use Yarn 🐈
$ yarn add verify-github-webhook-secret
Usage 🔨
The exported function needs a http.IncomingMessage and your personal secret
string. It returns a Promise that fulfills with a boolean if the received secret is valid or not.
You can use it for example with micro as follows:
import micro from 'micro';
import { verifySecret } from 'verify-github-webhook-secret';
const server = micro(async (req) => {
const valid = await verifySecret(req, 'my-secret');
return valid ? 'Allowed' : 'Not allowed';
});
Another way to call the function is directly with the HTTP body and the x-hub-signature
HTTP header. This is useful in an scenario where you don't have an IncomingMessage
like in some serverless environments.
import { verifySecret } from 'verify-github-webhook-secret';
async function myFunc() {
const valid = await verifySecret(
'{"foo":"bar"}',
'my-secret',
'sha1=30a233839fe2ddd9233c49fd593e8f1aec68f553',
);
return valid ? 'Allowed' : 'Not allowed';
}