Skip to content

Commit

Permalink
fix: change typing of verifyWebhook and patch security issue (#1090)
Browse files Browse the repository at this point in the history 
Co-authored-by: Federico Guerinoni <[email protected]>
  • Loading branch information
@pzmudzinski @guerinoni
pzmudzinski and guerinoni authored Mar 31, 2023
1 parent 9d40ba2 commit 716db00
Show file tree
Hide file tree
Showing 3 changed files with 43 additions and 5 deletions.
8 changes: 7 additions & 1 deletion src/client.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2648,7 +2648,13 @@ export class StreamChat<StreamChatGenerics extends ExtendableGenerics = DefaultG
});
};

verifyWebhook(requestBody: string, xSignature: string) {
/**
* checks signature of a request
* @param {string | Buffer} rawBody
* @param {string} signature from HTTP header
* @returns {boolean}
*/
verifyWebhook(requestBody: string | Buffer, xSignature: string) {
return !!this.secret && CheckSignature(requestBody, this.secret, xSignature);
}

Expand Down
13 changes: 9 additions & 4 deletions src/signing.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,13 +74,18 @@ export function DevToken(userId: string) {

/**
*
* @param {string} body the signed message
* @param {string | Buffer} body the signed message
* @param {string} secret the shared secret used to generate the signature (Stream API secret)
* @param {string} signature the signature to validate
* @return {boolean}
*/
export function CheckSignature(body: string, secret: string, signature: string) {
const key = Buffer.from(secret, 'ascii');
export function CheckSignature(body: string | Buffer, secret: string, signature: string) {
const key = Buffer.from(secret, 'utf8');
const hash = crypto.createHmac('sha256', key).update(body).digest('hex');
return hash === signature;

try {
return crypto.timingSafeEqual(Buffer.from(hash), Buffer.from(signature));
} catch {
return false;
}
}
27 changes: 27 additions & 0 deletions test/unit/signing.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
import { expect } from 'chai';
import { CheckSignature } from '../../src';

const MOCK_SECRET = 'porewqKAFDSAKZssecretsercretfads';
const MOCK_TEXT = 'text';
const MOCK_JSON_BODY = { a: 1 };
const MOCK_TEXT_SHA256 = 'd0b770e93a56adc3ee9ac5734533cc0acd71eea8e5e8204a28042ca0f60de1f3';
const MOCK_JSON_SHA256 = 'e527a6ad4993a4c9a30680c8be4b3eda1c36ab104f1f7d39c744bd27016a9624';

describe('Signing', () => {
describe('CheckSignature', () => {
it('validates correct text body and signature', () => {
const rawBody = Buffer.from(MOCK_TEXT);
expect(CheckSignature(rawBody, MOCK_SECRET, MOCK_TEXT_SHA256)).to.be.true;
});

it('validates correct json body and signature', () => {
const rawBody = Buffer.from(JSON.stringify(MOCK_JSON_BODY));
expect(CheckSignature(rawBody, MOCK_SECRET, MOCK_JSON_SHA256)).to.be.true;
});

it('refutes incorrect json body', () => {
const rawBody = Buffer.from(JSON.stringify({ ...MOCK_JSON_BODY, b: 2 }));
expect(CheckSignature(rawBody, MOCK_SECRET, MOCK_JSON_SHA256)).to.be.false;
});
});
});

0 comments on commit 716db00

Please sign in to comment.