verify-github-webhook-secret

Verifies the secret that is sent in GitHub Webhooks

Usage no npm install needed!

<script type="module">
  import verifyGithubWebhookSecret from 'https://cdn.skypack.dev/verify-github-webhook-secret';
</script>

README

verify-github-webhook-secret

GitHub Actions status codecov semantic-release

Verifies the secret that is sent in GitHub Webhooks. The secret will be used as the key to generate the HMAC hex digest value in the X-Hub-Signature header.

Installation 🏗

$ npm install --save verify-github-webhook-secret

or if you use Yarn 🐈

$ yarn add verify-github-webhook-secret

Usage 🔨

The exported function needs a http.IncomingMessage and your personal secret string. It returns a Promise that fulfills with a boolean if the received secret is valid or not.

You can use it for example with micro as follows:

import micro from 'micro';
import { verifySecret } from 'verify-github-webhook-secret';

const server = micro(async (req) => {
  const valid = await verifySecret(req, 'my-secret');
  return valid ? 'Allowed' : 'Not allowed';
});

Another way to call the function is directly with the HTTP body and the x-hub-signature HTTP header. This is useful in an scenario where you don't have an IncomingMessage like in some serverless environments.

import { verifySecret } from 'verify-github-webhook-secret';

async function myFunc() {
  const valid = await verifySecret(
    '{"foo":"bar"}',
    'my-secret',
    'sha1=30a233839fe2ddd9233c49fd593e8f1aec68f553',
  );
  return valid ? 'Allowed' : 'Not allowed';
}