From d4dbd7093bdc502ce2f92920e9bc470f8bd723b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=A1=D0=BA=D0=BE=D0=B2=D0=BE=D1=80=D0=BE=D0=B4=D0=B0=20?=
 =?UTF-8?q?=D0=9D=D0=B8=D0=BA=D0=B8=D1=82=D0=B0=20=D0=90=D0=BD=D0=B4=D1=80?=
 =?UTF-8?q?=D0=B5=D0=B5=D0=B2=D0=B8=D1=87?= <chalkerx@gmail.com>
Date: Fri, 2 Mar 2018 22:35:24 +0300
Subject: [PATCH] Avoid using deprecated Buffer API on newer Node.js

This avoids using Buffer constructor API on newer Node.js versions.

To achieve that, Buffer.from presence is checked, with validation that it's
not the same method as Uint8Array.from.

Also an additional type-guard is added in the fallback code path to ensure
that typed numbers are never accidently fed into `new Buffer` input.

Refs:
https://nodejs.org/api/deprecations.html#deprecations_dep0005_buffer_constructor
---
 lib/verify.js | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/lib/verify.js b/lib/verify.js
index b053fd6..3923868 100644
--- a/lib/verify.js
+++ b/lib/verify.js
@@ -73,7 +73,22 @@ module.exports = {
     h1.update(hmac.digest());
     h1 = h1.digest();
     var h2 = crypto.createHmac(hashAlg, secret);
-    h2.update(new Buffer(parsedSignature.params.signature, 'base64'));
+
+    var signatureBase64 = parsedSignature.params.signature;
+    var signatureBuffer;
+    if (Buffer.from && Buffer.from !== Uint8Array.from) {
+      // Node.js 4.5.0 and newer
+      signatureBuffer = Buffer.from(signatureBase64, 'base64');
+    } else {
+      // Node.js <4.5.0 || >=5.0.0 <5.10.0
+      if (typeof signatureBase64 === 'number') {
+        // type-guard against uninitentional uninitialized Buffer allocation
+        throw new Error('Unexpected .signature type: number, string expected');
+      }
+      signatureBuffer = new Buffer(signatureBase64, 'base64');
+    }
+    h2.update(signatureBuffer);
+
     h2 = h2.digest();
 
     /* Node 0.8 returns strings from .digest(). */