fix: bump @octokit/webhooks-methods to ^2.0.0 (#587)

* build(lint): do not prettify JSON event payload fixtures
* test: format push payload the way GitHub would send it
* fix(package): bump `@octokit/webhooks-methods` to `^2.0.0`
* build(package): lock file
* refactor: adapt for `@octokit/webhooks-methods` v2

Author: gr2m

package-lock.json

@@ -10,16 +10,16 @@
     "build": "pika build",
     "coverage": "jest --coverage && open coverage/lcov-report/index.html",
     "generate-types": "ts-node --transpile-only scripts/generate-types.ts",
-    "lint": "prettier --check 'src/**/*.{ts,json}' 'scripts/**/*' 'test/**/*' README.md package.json",
-    "lint:fix": "prettier --write 'src/**/*.{ts,json}' 'scripts/**/*' 'test/**/*' README.md package.json",
+    "lint": "prettier --check 'src/**/*.{ts,json}' 'scripts/**/*' 'test/**/*.ts' README.md package.json",
+    "lint:fix": "prettier --write 'src/**/*.{ts,json}' 'scripts/**/*' 'test/**/*.ts' README.md package.json",
     "pretest": "npm run -s lint",
     "test": "jest --coverage",
     "validate:ts": "tsc --noEmit --noImplicitAny --target es2020 --esModuleInterop --moduleResolution node test/typescript-validate.ts"
   },
   "prettier": {},
   "dependencies": {
     "@octokit/request-error": "^2.0.2",
-    "@octokit/webhooks-methods": "^1.0.0",
+    "@octokit/webhooks-methods": "^2.0.0",
     "@octokit/webhooks-types": "4.0.0",
     "aggregate-error": "^3.1.0"
   },

package.json

@@ -1,7 +1,7 @@
-import { sign, verify } from "@octokit/webhooks-methods";
-
 import { createLogger } from "./createLogger";
 import { createEventHandler } from "./event-handler/index";
+import { sign } from "./sign";
+import { verify } from "./verify";
 import { verifyAndReceive } from "./verify-and-receive";
 import {
   EmitterWebhookEvent,

src/index.ts

@@ -0,0 +1,13 @@
+import { sign as signMethod } from "@octokit/webhooks-methods";
+
+import { toNormalizedJsonString } from "./to-normalized-json-string";
+
+export async function sign(
+  secret: string,
+  payload: string | object
+): Promise<any> {
+  return signMethod(
+    secret,
+    typeof payload === "string" ? payload : toNormalizedJsonString(payload)
+  );
+}

src/sign.ts

@@ -0,0 +1,9 @@
+/**
+ * GitHub sends its JSON with an indentation of 2 spaces and a line break at the end
+ */
+export function toNormalizedJsonString(payload: object) {
+  const payloadString = JSON.stringify(payload, null, 2) + "\n";
+  return payloadString.replace(/[^\\]\\u[\da-f]{4}/g, (s) => {
+    return s.substr(0, 3) + s.substr(3).toUpperCase();
+  });
+}

src/to-normalized-json-string.ts

@@ -1,5 +1,6 @@
 import { verify } from "@octokit/webhooks-methods";
 
+import { toNormalizedJsonString } from "./to-normalized-json-string";
 import {
   EmitterWebhookEventWithStringPayloadAndSignature,
   EmitterWebhookEventWithSignature,
@@ -15,7 +16,9 @@ export async function verifyAndReceive(
   // verify will validate that the secret is not undefined
   const matchesSignature = await verify(
     state.secret,
-    event.payload,
+    typeof event.payload === "object"
+      ? toNormalizedJsonString(event.payload)
+      : event.payload,
     event.signature
   );
 

src/verify-and-receive.ts

@@ -0,0 +1,15 @@
+import { verify as verifyMethod } from "@octokit/webhooks-methods";
+
+import { toNormalizedJsonString } from "./to-normalized-json-string";
+
+export async function verify(
+  secret: string,
+  payload: string | object,
+  signature: string
+): Promise<any> {
+  return verifyMethod(
+    secret,
+    typeof payload === "string" ? payload : toNormalizedJsonString(payload),
+    signature
+  );
+}

src/verify.ts

@@ -27,7 +27,9 @@
       },
       "added": [],
       "removed": [],
-      "modified": ["README.md"]
+      "modified": [
+        "README.md"
+      ]
     }
   ],
   "head_commit": {
@@ -49,7 +51,9 @@
     },
     "added": [],
     "removed": [],
-    "modified": ["README.md"]
+    "modified": [
+      "README.md"
+    ]
   },
   "repository": {
     "id": 35129377,

test/fixtures/push-payload.json

@@ -1,4 +1,5 @@
 import { createServer } from "http";
+import { readFileSync } from "fs";
 
 import fetch from "node-fetch";
 import { sign } from "@octokit/webhooks-methods";
@@ -7,15 +8,18 @@ import { sign } from "@octokit/webhooks-methods";
 const express = require("express");
 
 import { Webhooks, createNodeMiddleware } from "../../src";
-import { pushEventPayload } from "../fixtures";
 
+const pushEventPayload = readFileSync(
+  "test/fixtures/push-payload.json",
+  "utf-8"
+);
 let signatureSha256: string;
 
 describe("createNodeMiddleware(webhooks)", () => {
   beforeAll(async () => {
     signatureSha256 = await sign(
       { secret: "mySecret", algorithm: "sha256" },
-      JSON.stringify(pushEventPayload)
+      pushEventPayload
     );
   });
 
@@ -48,7 +52,7 @@ describe("createNodeMiddleware(webhooks)", () => {
           "X-GitHub-Event": "push",
           "X-Hub-Signature-256": signatureSha256,
         },
-        body: JSON.stringify(pushEventPayload),
+        body: pushEventPayload,
       }
     );
 
@@ -92,7 +96,7 @@ describe("createNodeMiddleware(webhooks)", () => {
           "X-GitHub-Event": "push",
           "X-Hub-Signature-256": signatureSha256,
         },
-        body: JSON.stringify(pushEventPayload),
+        body: pushEventPayload,
       }
     );
 
@@ -256,7 +260,7 @@ describe("createNodeMiddleware(webhooks)", () => {
           "X-GitHub-Event": "push",
           "X-Hub-Signature-256": signatureSha256,
         },
-        body: JSON.stringify(pushEventPayload),
+        body: pushEventPayload,
       }
     );
 
@@ -292,7 +296,7 @@ describe("createNodeMiddleware(webhooks)", () => {
           "X-GitHub-Event": "push",
           "X-Hub-Signature-256": signatureSha256,
         },
-        body: JSON.stringify(pushEventPayload),
+        body: pushEventPayload,
       }
     );
 
@@ -327,7 +331,7 @@ describe("createNodeMiddleware(webhooks)", () => {
           "X-GitHub-Event": "push",
           "X-Hub-Signature-256": signatureSha256,
         },
-        body: JSON.stringify(pushEventPayload),
+        body: pushEventPayload,
       }
     );
 
@@ -352,7 +356,7 @@ describe("createNodeMiddleware(webhooks)", () => {
 
     const response = await fetch(`http://localhost:${port}/test`, {
       method: "POST",
-      body: JSON.stringify(pushEventPayload),
+      body: pushEventPayload,
     });
 
     await expect(response.text()).resolves.toBe("Dafuq");
@@ -376,15 +380,15 @@ describe("createNodeMiddleware(webhooks)", () => {
 
     const response = await fetch(`http://localhost:${port}/test`, {
       method: "POST",
-      body: JSON.stringify(pushEventPayload),
+      body: pushEventPayload,
     });
 
     await expect(response.text()).resolves.toContain("Cannot POST /test");
     expect(response.status).toEqual(404);
 
     const responseForFoo = await fetch(`http://localhost:${port}/foo`, {
       method: "POST",
-      body: JSON.stringify(pushEventPayload),
+      body: pushEventPayload,
     });
 
     await expect(responseForFoo.text()).resolves.toContain("ok\n");
@@ -415,7 +419,7 @@ describe("createNodeMiddleware(webhooks)", () => {
         "X-GitHub-Event": "push",
         "X-Hub-Signature-256": signatureSha256,
       },
-      body: JSON.stringify(pushEventPayload),
+      body: pushEventPayload,
     });
 
     await expect(response.text()).resolves.toBe("ok\n");
@@ -446,7 +450,7 @@ describe("createNodeMiddleware(webhooks)", () => {
         "X-GitHub-Event": "push",
         "X-Hub-Signature-256": signatureSha256,
       },
-      body: JSON.stringify(pushEventPayload),
+      body: pushEventPayload,
     });
 
     await expect(response.text()).resolves.toBe("ok\n");