feat: only accept string payloads for webhooks.sign() (#794)

wolfy1339 · web-flow · commit 855cefa1d544 · 2023-01-10T12:54:04.000-05:00
* feat: only accept string payloads for `webhooks.sign()`

BREAKING CHANGE: Only accept string payloads for `webhooks.verify()`
diff --git a/README.md b/README.md
@@ -162,7 +162,7 @@ webhooks.sign(eventPayload);
           eventPayload
         </code>
         <em>
-          (Object)
+          (String)
         </em>
       </td>
       <td>
diff --git a/src/index.ts b/src/index.ts
@@ -1,7 +1,6 @@
 import { createLogger } from "./createLogger";
 import { createEventHandler } from "./event-handler/index";
-import { sign } from "./sign";
-import { verify } from "@octokit/webhooks-methods";
+import { sign, verify } from "@octokit/webhooks-methods";
 import { verifyAndReceive } from "./verify-and-receive";
 import {
   EmitterWebhookEvent,
@@ -20,7 +19,7 @@ export { emitterEventNames } from "./generated/webhook-names";
 
 // U holds the return value of `transform` function in Options
 class Webhooks<TTransformed = unknown> {
-  public sign: (payload: string | object) => Promise<string>;
+  public sign: (payload: string) => Promise<string>;
   public verify: (eventPayload: string, signature: string) => Promise<boolean>;
   public on: <E extends EmitterWebhookEventName>(
     event: E | E[],
diff --git a/src/sign.ts b/src/sign.ts
diff --git a/src/to-normalized-json-string.ts b/src/to-normalized-json-string.ts
diff --git a/test/integration/webhooks.test.ts b/test/integration/webhooks.test.ts
@@ -3,7 +3,6 @@ import { readFileSync } from "fs";
 import { sign } from "@octokit/webhooks-methods";
 
 import { Webhooks } from "../../src";
-import { toNormalizedJsonString } from "../../src/to-normalized-json-string";
 
 const pushEventPayloadString = readFileSync(
   "test/fixtures/push-payload.json",
@@ -18,31 +17,13 @@ describe("Webhooks", () => {
     );
   });
 
-  test("webhooks.sign(payload) with object payload", async () => {
-    const secret = "mysecret";
-    const webhooks = new Webhooks({ secret });
-
-    await webhooks.sign(JSON.parse(pushEventPayloadString));
-  });
-
   test("webhooks.sign(payload) with string payload", async () => {
     const secret = "mysecret";
     const webhooks = new Webhooks({ secret });
 
     await webhooks.sign(pushEventPayloadString);
   });
 
-  test("webhooks.verify(payload, signature) with string payload containing special characters", async () => {
-    const secret = "mysecret";
-    const webhooks = new Webhooks({ secret });
-
-    const payload = toNormalizedJsonString({
-      foo: "Foo\n\u001b[34mbar: ♥♥♥♥♥♥♥♥\nthis-is-lost\u001b[0m\u001b[2K",
-    });
-
-    await webhooks.verify(payload, await sign(secret, payload));
-  });
-
   test("webhooks.verify(payload, signature) with string payload", async () => {
     const secret = "mysecret";
     const webhooks = new Webhooks({ secret });
diff --git a/test/typescript-validate.ts b/test/typescript-validate.ts
@@ -82,7 +82,7 @@ export default async function () {
 
   webhooks.onAny(async ({ id, name, payload }) => {
     console.log(name, "event received", id);
-    const sig = await webhooks.sign(payload);
+    const sig = await webhooks.sign(JSON.stringify(payload));
     webhooks.verify(JSON.stringify(payload), sig);
   });
 
