npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

github-webhook-validator

v0.2.0

Published

Express middleware validator for GitHub webhooks

Downloads

5

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

aidanfeldmanaidanfeldmanmblandmbland

Keywords

GitHubwebhookExpress

Readme

github-webhook-validator

This library provides an Express middleware validator for GitHub webhooks that have a secret key defined.

It was primarily developed for the pages-server. It enables authentication across multiple webhooks handled by the same server.

Installation

To make this library part of your project:

$ npm install github-webhook-validator --save

Note that Node.js version 4.8.5 or higher is required; check your installed version with node -v.

Usage

During the initialization phase of your application:

var express = require('express');
var bodyParser = require('body-parser');
var webhookValidator = require('github-webhook-validator');

module.exports.launchServer = function(config) {
  // loadKeyDictionary returns a Promise that creates an object comprised of
  // `label: key` mappings.
  return webhookValidator.loadKeyDictionary(
    config.secretKeyFile, config.builders)
    .then(function(keyDictionary) { return doLaunch(config, keyDictionary); })
    .catch(function(err) { console.error('Failed to start server:', err); });
}

function doLaunch(config, keyDictionary) {
  // Once the keyDictionary is loaded, create a middlewareValidator that can
  // be passed to Express middleware body parsers.
  var middlewareOptions = {
    verify: webhookValidator.middlewareValidator(keyDictionary)
  };
  var server = express();
  server.use(bodyParser.json(middlewareOptions));

  // Continue server initialization...
}

API

loadKeyDictionary([defaultKeyFile[, builderConfigs[, parseKeyLabelFromConfig]]])

Returns a Promise that will, upon success, resolve to an object comprised of label: key mappings for use by the middleware validator.

  • defaultKeyFile: path to the file containing the secret key used to validate all payloads by default
  • builderConfigs: array of objects pertaining to individual branches or other entities managed by the webhook server
    • Each may contain an optional secretKeyFile member, which will be used in place of the top-level defaultKeyFile for that builder.
  • parseKeyLabelFromConfig: maps each element of builderConfigs to a label for the element's secretKeyFile contents
    • The default parser returns the value of the element's branch member, as the original use case supports differentiating webhooks by branch.

It is possible for defaultKeyFile to be undefined, while individual builderConfigs have their own secretKeyFile definitions.

If no arguments are defined, the Promise will resolve to an empty object, effectively disabling validation, except that any incoming webhooks with the X-Hub-Signature HTTP header defined will fail validation. The solution would be to add the secret key to the server, or to remove it from the webhook definition.

middlewareValidator(keyDictionary[, parseKeyLabelFromBody])

Returns a function corresponding to the verify function interface passed as an option to Express body-parser middleware. The returned function will abort the request with an error message if validation fails, prior to parsing taking place.

  • keyDictionary: the result from loadKeyDictionary()
  • parseKeyLabelFromBody: maps the raw contents of the request body to a label for one of the keys within keyDictionary
    • The default parser parses the name of the branch from the ref field, if present.

Raises:

  • ValidationError: if validation fails for any reason; this object contains:
    • keyLabel: the value returned from parseKeyLabelFromBody
    • webhookId: the value of the X-GitHub-Delivery HTTP header
    • ip: the IP address of the request source

If the parser returns null or undefined, or if the value does not match a member of keyDictionary, the value of the defaultKeyFile from loadKeyDictionary() will be used as the secret key, if it exists. If it does not exist, any incoming requests with the X-Hub-Signature HTTP header will fail validation. The fix would be to add a default key, to add a branch-specific key, or to remove the secret key from the webhook definition.

Open Source License

This software is made available as Open Source software under the ISC License. For the text of the license, see the LICENSE file.