-
Notifications
You must be signed in to change notification settings - Fork 18
/
Copy pathwebhook-event-verifier.ts
42 lines (33 loc) · 1.27 KB
/
webhook-event-verifier.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
// Require crypto instead of importing, because Node can be built without crypto support.
let crypto: typeof import("crypto") | undefined;
try {
// tslint:disable-next-line: no-var-requires
crypto = require("crypto");
} catch {
// We throw an error when verifying webhooks instead.
}
import { WebhookEvent } from "./api";
export class OnfidoInvalidSignatureError extends Error {}
export class WebhookEventVerifier {
private readonly webhookToken: string;
constructor(webhookToken: string) {
this.webhookToken = webhookToken;
}
public readPayload(rawEventBody: string | Buffer, hexSignature: string) {
if (!crypto) {
throw new Error("Verifying webhook events requires crypto support");
}
const givenSignature = Buffer.from(hexSignature, "hex");
// Compute the the actual HMAC signature from the raw request body.
const hmac = crypto.createHmac("sha256", this.webhookToken);
hmac.update(rawEventBody);
const eventSignature = hmac.digest();
// Use timingSafeEqual to prevent against timing attacks.
if (!crypto.timingSafeEqual(givenSignature, eventSignature)) {
throw new OnfidoInvalidSignatureError(
"Invalid signature for webhook event",
);
}
return JSON.parse(rawEventBody.toString()) as WebhookEvent;
}
}