updated to check against 'Signature-256' request header (fixes #47)

Author: tejashah88

.github/workflows/main.yml

@@ -21,14 +21,22 @@ jobs:
     # The type of runner that the job will run on
     runs-on: ubuntu-latest
 
+    # Specify which node versions should this module be tested against
+    strategy:
+      matrix:
+        node-version: [ 12, 14, 16, 18, 20 ]
+
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
 
       # Runs a single command using the runners shell
       - name: setup
-        run: npm install
+        run: npm ci
 
       # Runs a single command using the runners shell
       - name: tests

.gitignore

@@ -2,6 +2,13 @@
 logs
 *.log
 npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+.pnpm-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
 
 # Runtime data
 pids
@@ -14,29 +21,48 @@ lib-cov
 
 # Coverage directory used by tools like istanbul
 coverage
+*.lcov
 
 # nyc test coverage
 .nyc_output
 
-# Grunt intermediate storage (http://gruntjs.com/creating-plugins#storing-task-files)
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
 .grunt
 
+# Bower dependency directory (https://bower.io/)
+bower_components
+
 # node-waf configuration
 .lock-wscript
 
-# Compiled binary addons (http://nodejs.org/api/addons.html)
+# Compiled binary addons (https://nodejs.org/api/addons.html)
 build/Release
 
 # Dependency directories
-node_modules
-jspm_packages
+node_modules/
+jspm_packages/
+
+# Snowpack dependency directory (https://snowpack.dev/)
+web_modules/
+
+# TypeScript cache
+*.tsbuildinfo
 
 # Optional npm cache directory
 .npm
 
 # Optional eslint cache
 .eslintcache
 
+# Optional stylelint cache
+.stylelintcache
+
+# Microbundle cache
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
 # Optional REPL history
 .node_repl_history
 
@@ -46,3 +72,62 @@ jspm_packages
 # Yarn Integrity file
 .yarn-integrity
 
+# dotenv environment variable files
+.env
+.env.development.local
+.env.test.local
+.env.production.local
+.env.local
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+.parcel-cache
+
+# Next.js build output
+.next
+out
+
+# Nuxt.js build / generate output
+.nuxt
+dist
+
+# Gatsby files
+.cache/
+# Comment in the public line in if your project uses Gatsby and not Next.js
+# https://nextjs.org/blog/next-9-1#public-directory-support
+# public
+
+# vuepress build output
+.vuepress/dist
+
+# vuepress v2.x temp and cache directory
+.temp
+.cache
+
+# Docusaurus cache and generated files
+.docusaurus
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# TernJS port file
+.tern-port
+
+# Stores VSCode versions used for testing VSCode extensions
+.vscode-test
+
+# yarn v2
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.*
+
+# node-TAP generated files
+.tap

CHANGELOG.md

@@ -1,3 +1,7 @@
+## 3.0.0
+* BREAKING: Updated to check against SHA-256 signature of request body (#47)
+
+
 ## 2.0.3
 * Remediates CVE-2021-3765
 

README.md

@@ -1,15 +1,13 @@
 # alexa-verifier-middleware
 
-[![NPM](https://nodei.co/npm/alexa-verifier-middleware.png)](https://www.npmjs.com/package/alexa-verifier-middleware/)
-
 ![NPM Version](https://img.shields.io/npm/v/alexa-verifier-middleware.svg)
 
-![example workflow](https://github.com/alexa-js/alexa-verifier-middleware/actions/workflows/main.yml/badge.svg)
+![Github CI status](https://github.com/alexa-js/alexa-verifier-middleware/actions/workflows/main.yml/badge.svg)
 
 An [express](https://www.npmjs.com/package/express) middleware that verifies HTTP requests sent to an Alexa skill are sent from Amazon.
 
 
-Version 2.x is now a pure es module, and requires node 12.17 or higher. If you want to run this via an older version of node, use 
+Version 3.x is now a pure ES module, and requires node 12.17 or higher. If you want to run this via an older version of node, use
 [[email protected]](https://www.npmjs.com/package/alexa-verifier-middleware/v/1.0.3) 
 
 

index.js

@@ -19,6 +19,7 @@ export default function alexaVerifierMiddleware (req, res, next) {
   // other body parser middlewares
   req._body = true
   req.rawBody = ''
+
   req.on('data', function (data) {
     return req.rawBody += data
   })
@@ -33,8 +34,8 @@ export default function alexaVerifierMiddleware (req, res, next) {
       req.body = { }
     }
 
-    certUrl = req.headers.signaturecertchainurl
-    signature = req.headers.signature
+    certUrl = req.headers['signaturecertchainurl']
+    signature = req.headers['signature-256']
 
     verifier(certUrl, signature, req.rawBody, function (er) {
       if (er)