Public
Script
October 23, 2023
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
import { SignatureCheck } from "https://esm.town/v/karfau/SignatureCheck";
import { testRunner } from "https://esm.town/v/karfau/testRunner";
export const test_SignatureCheck = (async () => {
const { assert, assertFalse } = await import(
"https://deno.land/std/assert/mod.ts"
);
const { assertSpyCall, assertSpyCalls, spy } = await import(
"https://deno.land/std/testing/mock.ts"
);
const throwOnInvalid = (reason) => {
throw new Error("from test_SignatureCheck:" + reason);
};
// https://docs.github.com/en/webhooks-and-events/webhooks/securing-your-webhooks#test-values
const GitHubDocsValues = {
secret: "It's a Secret to Everybody",
payload: "Hello, World!",
signature:
"757107ea0eb2509fc211221cce984b8a37570b6d7586c22c46f4379c8b043e17",
sha1Signature: "sha1=01dc10d0c83e72ed246219cdd91669667fe2ca59",
} as const;
return testRunner(
{ val: ["karfau", "SignatureCheck"] },
async function should_pass_test_values_from_GitHub_docs() {
const { secret, signature, payload } = GitHubDocsValues;
const { verify } = SignatureCheck(throwOnInvalid);
assert(await verify({ payload, signature }, secret));
},
async function should_pass_test_values_from_GitHub_docs_with_irrelevant_secrets_in_fallback() {
const { secret, signature, payload } = GitHubDocsValues;
const { verify } = SignatureCheck(throwOnInvalid);
assert(await verify({ payload, signature }, secret, "not a secret"));
},
async function should_pass_test_values_from_GitHub_docs_with_correct_secret_in_last_fallback() {
const { secret, signature, payload } = GitHubDocsValues;
const { verify } = SignatureCheck(throwOnInvalid);
assert(
await verify(
{ payload, signature },
"Not working",
"",
"not a secret",
secret,
),
);
},
async function should_pass_test_values_from_GitHub_docs_uppercase_signature() {
const { secret, signature, payload } = GitHubDocsValues;
const { verify } = SignatureCheck(throwOnInvalid);
assert(
await verify({ payload, signature: signature.toUpperCase() }, secret),
);
},
async function should_pass_test_values_from_GitHub_docs_with_correct_sha256_prefix() {
const { secret, signature, payload } = GitHubDocsValues;
const { verify } = SignatureCheck(throwOnInvalid);
assert(
await verify({ payload, signature: "sha256=" + signature }, secret),
);
},
async function should_pass_test_values_from_GitHub_docs_with_ignored_sha_prefix_and_correct_value() {
const { secret, signature, payload } = GitHubDocsValues;
const { verify } = SignatureCheck(throwOnInvalid);
assert(
await verify(
{ payload, signature: "sha0123456789=" + signature },
secret,
),
);
},
async function should_report_invalid_reason_sha1_signature() {
const { secret, sha1Signature, payload } = GitHubDocsValues;
const onInvalidSpy = spy(() => {});
const { verify } = SignatureCheck(onInvalidSpy);
assertFalse(await verify({ payload, signature: sha1Signature }, secret));
assertSpyCalls(onInvalidSpy, 1);
assertSpyCall(onInvalidSpy, 0, {
args: ["[SignatureCheck.verify] crypto.subtle.verify resolved false"],
});
},
async function should_report_invalid_when_passing_no_parameters() {
const onInvalidSpy = spy(() => {});
const { verify } = SignatureCheck(onInvalidSpy);
assertFalse(await verify());
assertSpyCalls(onInvalidSpy, 1);
assertSpyCall(onInvalidSpy, 0, {
args: ["[SignatureCheck.verify] received at least one falsy argument"],
});
},
async function should_report_invalid_reason_falsy_secret() {
const { secret, signature, payload } = GitHubDocsValues;
const onInvalidSpy = spy(() => {});
const { verify } = SignatureCheck(onInvalidSpy);
assertFalse(await verify({ payload, signature }, ""));
assertSpyCalls(onInvalidSpy, 1);
assertSpyCall(onInvalidSpy, 0, {
args: ["[SignatureCheck.verify] received at least one falsy argument"],
});
},
async function should_report_invalid_reason_falsy_fallback_secrets() {
Val Town is a social website to write and deploy JavaScript.
Build APIs and schedule functions from your browser.
Comments
Nobody has commented on this val yet: be the first!
October 23, 2023