Skip to content

A tiny library to create and verify signature hashes.

License

Notifications You must be signed in to change notification settings

pocketbitcoin/sig-tools

Repository files navigation

Sig tools

A tiny library to create and verify signature hashes.

Very useful to secure webhooks endpoints.

Inspired by GitHub's Webhook implementation, the library lets you:

  • create a hash signature of each request payload (using a HMAC hex digest) to be sent via HTTP header
  • verify the validity of a signature

Install

$ npm install --save @pocketbitcoin/sig-tools

Usage

import { createSignature, isSignatureValid } from '@pocketbitcoin/sig-tools'

const SECRET = 'MY SECRET KEY'

// create signature and send it via http header

const reqPayload = JSON.stringify({
  val: 123,
  val1: 123456
})

const signature = createSignature({
  algorithm: 'sha256',
  secret: SECRET,
  data: reqPayload
})

try {
  await axios.post('http://localhost:5000/my-webhook-endpoint', reqPayload, {
    headers: {
      'x-sig-256': signature,
      'content-type': 'application/json'
    }
  })
} catch (err) {
  console.log(err.response.data)
}

// verify signature (Express example)

const valid = isSignatureValid({
  algorithm: 'sha256',
  secret: SECRET,
  data: req.rawBody,
  signature: req.headers['x-sig-256']
})

Tests

$ npm run test

MIT License

About

A tiny library to create and verify signature hashes.

Resources

License

Stars

Watchers

Forks