Skip to content

feat: signSync, verifySync#211

Open
Uzlopak wants to merge 5 commits intooctokit:mainfrom
Uzlopak:remove-sha1
Open

feat: signSync, verifySync#211
Uzlopak wants to merge 5 commits intooctokit:mainfrom
Uzlopak:remove-sha1

Conversation

@Uzlopak
Copy link
Contributor

@Uzlopak Uzlopak commented Nov 29, 2023
edited by wolfy1339
Loading

We anyway just check if sha256 is given.
Add the signSync and verifySync methods, as crypto code runs in C++ code of node, which makes it by nature block the event loop of node. By making it sync we reduce the unecessary overhead of creating intermediary Promises, which are thrown away anyway. So we can use that in probot / webhooks.js.

Only when using web crypto async maybe makes sense, because that runs by nature async, but I suspect to be signifcantly slower.

We need to patch then webhooks.js repo to use sync calls.

@semver-minor.

Resolves #ISSUE_NUMBER

Before the change?

After the change?

Pull request checklist

  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

  • Yes
  • No

@Uzlopak Uzlopak changed the title Remove sha1 Remove sha1, make verify and sign sync Nov 29, 2023
@Uzlopak Uzlopak changed the title Remove sha1, make verify and sign sync Remove sha1, add signSync and verifySync for node Nov 29, 2023
@Uzlopak
Copy link
Contributor Author

Uzlopak commented Nov 29, 2023
edited
Loading

Implemented now in a way, that it does not break.

EDIT:
Scratch that. I removed sha1. LOL

@Uzlopak Uzlopak mentioned this pull request Nov 30, 2023
Closed
4 tasks
@wolfy1339 wolfy1339 requested a review from gr2m November 30, 2023 00:28
@wolfy1339 wolfy1339 added Type: Breaking change Used to note any change that requires a major version bump Type: Maintenance Any dependency, housekeeping, and clean up Issue or PR labels Nov 30, 2023
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 30, 2023
View reviewed changes
test/verify.test.ts
const signatureMatches = await verify("foo", eventPayload, signatureSHA256);
test("verify(secret, eventPayload, signature) returns false for incorrect secret", async () => {
const signatureMatches = await verify("foo", eventPayload, signature);
expect(signatureMatches).toBe(false);

Check failure

Code scanning / CodeQL

Hard-coded credentials

The hard-coded value "foo" is used as [key](1).
gr2m
gr2m reviewed Dec 2, 2023
View reviewed changes
Copy link
Contributor

@gr2m gr2m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a breaking change as we change the API by removing the algorithm argument. But we can absorb the breaking change in @octokit/webhooks as GitHub no longer supports sha1 in any of its maintained GHES versions.

Can you please update the README?

@Uzlopak
Copy link
Contributor Author

Uzlopak commented Dec 3, 2023

@gr2m
Is the readme now to your liking?

gr2m

This comment was marked as outdated.

Sign in to view

@gr2m gr2m changed the title Remove sha1, add signSync and verifySync for node feat: signSync, verifySync Dec 4, 2023
gr2m
gr2m requested changes Dec 4, 2023
View reviewed changes
Copy link
Contributor

@gr2m gr2m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actually, can you document signSync and verifySync?

I'm not 100% sure if we really need it, I don't like the fact that available methods diverge between the JS runtimes.

Maybe let's leave out the introduction of signSync and verifySync and discuss that in a separate PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gr2m gr2m gr2m requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

Type: Breaking change Used to note any change that requires a major version bump Type: Maintenance Any dependency, housekeeping, and clean up Issue or PR

Projects

🧰 Octokit Active
Status: 🏗 In progress

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Uzlopak @gr2m @wolfy1339