Likes
49
karfau
SignatureCheck
Script
This val has been created to avoid certain shortcomings of @vtdocs.verifyGithubWebhookSignature .
So it was created as a mix/evolution of two sources: The github docs about securing webhook Some code from the @octokit/webhhokmethods package This code is covered by tests which you can copy to run them, see @karfau.test_SignatureCheck This val does not contain any val.town specific code ( @ -imports, console.email ...), so it should be possible to run in Deno as is, potentially even in modern browsers (that support crypto and TextEncoder and modern ES syntax). Usage const myGithubWebhook = (req: Request) => {
const {verify} = @karfau.SignatureCheck(); // you have to call it to get the verify function!
const body = await req.text();
const signature = req.headers.get("X-Hub-Signature-256");
const verified = await verify(
{payload:body, signature},
@me.secrets.myGithubWebhookSecret,
// optionally provide fallback secrets (as many as needed)
// @me.secrets.myGithubWebhookSecretFallback
);
if (!verified) {
return new Response(`Not verified`, 401);
}
const payload = JSON.parse(body);
// actually do things in your webhook
}; By default the reason for failing verification is logged to console.error , but you can pass it a different handler: const {verify} = @karfau.SignatureCheck((reason) => { throw new Error(reason); }); (be aware that it will silently fail if you don't try catch it in an endpoint and the return code will be 502) Why @vtdocs.verifyGithubWebhookSignature has the following issues: it relies on the verify method of the outdated @octokit/webhooks-methods@3.0.2 which has (at least) two bugs that can make a difference when used in a webhook it can throws errors instead of just returning false , which can be triggered by sending an invalid signature it can be lured into checking a SHA1 signature if the signature header starts with sha1= you need to pass the secret and payload as argument to the val, which makes them appear in the evaluation logs you produce ( they are only visible for the author of the val if you run them as an API , but it still feels odd to see the secret in the evaluation logs.) parameters are all of type string and the order can be confused you can not use fallback secrets for rotating
2
zackoverflow
pollRssAndEmail
Script
Subscribe to RSS feeds with e-mail notifications This lets you subscribe to RSS feeds. It checks periodically for any new posts from any of your RSS feed subscriptions, and then sends you an e-mail with the link to the any new posts. Getting started 1. Generate auth keys Follow this to get your auth keys, and export your public keys. This will be used to e-mail yourself since @std.email is preferred over console.email 2. Create a @me.rssEmail val You can do that by clicking this link and hitting 'Run'. Or you can copy-paste this code into a new val: const rssEmail = "you@youremail.com" 3. Fork this val Hit 'Fork' on this val and run it. Then you can schedule the val to run every hour or whatever duration you'd like. 4. Add RSS feeds to @me.rssFeeds If you look at your vals, you should find a new one called rssFeeds . It should look similar to this: let rssFeeds = [
"https://cprimozic.net/rss.xml",
"https://matklad.github.io/feed.xml",
"https://journal.stuffwithstuff.com/rss.xml",
"https://lexi-lambda.github.io/feeds/all.rss.xml",
]; This is supposed to be an array containing the links of each RSS feed you'd like to subscribe to (in the form of JS strings). To add RSS feeds, you can update this val by adding a new string containing the new RSS link. Resetting the cache If for any reason you would like to reset the cache, you can clear the keys of rssCache or use this convenience function to do so. @zackoverflow.rssResetCache(@me.rssCache)
2
andreterron
actuallyItsXBot
Script
Actually, It's π An annoying bot that corrects people about the new name of the app previously known as Twitter. Follow it on π ! The Twitter β π transition is pretty painful, and this bot is here to make things even worse! Want to create your own bot? Check out https://www.val.town/v/andreterron.twitter
4
tmcw
reasonPhrase
Script
The story behind HTTP 200 "OK" What's in an HTTP response? I've been writing software for the web since the early 2000s and have incrementally learned things about HTTP. There are status codes, like "200" and "404". There are headers, for Content-Type and headers to control cache settings. There are different versions of HTTP itself, like 1.1, 2, and 3. HTTP requests and responses can contain data, in the message body. But there's one thing I didn't notice until yesterday. A quirk that was included in the HTTP 1.1 specification with an authors note that it's mostly there for historical reasons: the reason-phrase . None of this information is useful. The reason-phrase is barely supported on the web and was always an oddity, but keep reading if you like oddities! If you're used to JavaScriptβs fetch() method to make HTTP requests, you've seen the reason-phrase under a different name: statusText : (await fetch('https://example.com/')).statusText What is statusText ? I had assumed that it was something that JavaScript itself provides, by looking up the status code 200 and matching it with the text "OK". I was wrong! When I look at a raw HTTP response, I see the first few lines are like this: HTTP/1.1 200 OK
Date: Thu, 17 Aug 2023 15:16:42 GMT
Content-Type: text/plain;charset=UTF-8 The reason phrase So what is that text? I dug around in the HTTP 1.0 specification and found the section Status Code and Reason Phrase . The Status-Code element is a 3-digit integer result code of the attempt to understand and satisfy the request. The Reason-Phrase is intended to give a short textual description of the Status-Code. The Status-Code is intended for use by automata and the Reason-Phrase is intended for the human user. The client is not required to examine or display the Reason-Phrase. That also lists recommended reason phrases, like OK for 200 and Not Found for 404. And notes that you can choose different phrases without affecting the protocol. The HTTP 1.1 specification adds a little color about the reason-phrase : So, with a HTTP server, you can customize your reason phrase! Here's an example with a val on Val Town: let customReason = (req) =>
new Response("", {
statusText: 'Hello world!',
}); Unfortunately, this doesn't work! The response that Val Town produces is reorganized and optimized by Cloudflare, which upgrades requests and responses from HTTP 1.1 to HTTP 2. And sadly, HTTP 2 dropped support for the custom reason-phrase . RIP the reason-phrase . It was present even in a 1992 draft of the HTTP specification , and was a weird and under-appreciated way to pilfer extra information in a response. Now, thanks to HTTP/2 and the commonplace use of proxies and CDNs like Cloudflare, it's no longer usable. It was fun while it lasted.
1
tmcw
big_story_visualization
Express (deprecated)
The Big Story This val, along with @tmcw.big_story , which requests from the New York Times API , and @tmcw.big_stories_ranks , which contains the data, generates a visualization of top stories on the NYTimes homepage. This is here just to ask the question β what happens to cover stories over time? Do they slowly drop down the page, or just get replaced by a fully new lede? So far it doesn't have quite enough data to answer that question. But also, it might be neat because it'll show which kinds of stories make the front page - is it climate, war, politics, or something else? π The Big Story (visualization)
4
