node-red-contrib-hmac
v0.1.1
Published
Node-RED node to verify HMAC signatures of incoming webhooks (constant-time, sha1/sha256/sha512).
Maintainers
Readme
node-red-contrib-hmac
A Node-RED node that verifies the HMAC signature of incoming webhooks.
Constant-time comparison, sha1 / sha256 / sha512, hex / base64, optional
prefix stripping (e.g. GitHub's sha256=). Zero runtime dependencies.
Install
From the Node-RED palette manager search for node-red-contrib-hmac,
or in your Node-RED userDir:
npm install node-red-contrib-hmacThe hmac verify node
A gate with two outputs:
- valid — the message passes through (
msg.hmacValid === true) - invalid / error — the message is routed here (
msg.hmacValid === false)
Configuration
| Field | Description |
|---|---|
| Algorithm | sha1, sha256 (default), sha512 |
| Secret | the shared secret, stored encrypted as a credential |
| Secret env | (optional) name of an env var to read the secret from if Secret is empty |
| Payload | message property holding the body to sign (default payload) |
| Signature | message property holding the provided signature (default req.headers.x-signature) |
| Encoding | hex (default) or base64 |
| Strip prefix | optional string removed from the signature before compare (e.g. sha256=) |
⚠️ Raw body matters
The HMAC must be computed over the raw request body. If an upstream node already
parsed the JSON, re-serializing msg.payload can yield different bytes and the
signature will not match. Feed the raw body (e.g. msg.req.rawBody).
License
MIT © konceptnet
