Remove dependency on node:crypto for verifying webhooks

aron · aron · commit 6b4c91c64be1 · 2024-03-07T11:21:31.000Z
diff --git a/lib/util.js b/lib/util.js
@@ -1,4 +1,4 @@
-const crypto = require("node:crypto");
+const base64 = require("@hexagon/base64");
 
 const ApiError = require("./error");
 
@@ -72,12 +72,10 @@ async function validateWebhook(requestData, secret) {
 
   const signedContent = `${id}.${timestamp}.${body}`;
 
-  const secretBytes = Buffer.from(signingSecret.split("_")[1], "base64");
-
-  const computedSignature = crypto
-    .createHmac("sha256", secretBytes)
-    .update(signedContent)
-    .digest("base64");
+  const computedSignature = await createHMACSHA256(
+    signingSecret.split("_").pop(),
+    signedContent
+  );
 
   const expectedSignatures = signature
     .split(" ")
@@ -88,6 +86,24 @@ async function validateWebhook(requestData, secret) {
   );
 }
 
+/**
+ * @param {string} secret - base64 encoded string
+ * @param {string} data - text body of request
+ */
+async function createHMACSHA256(secret, data) {
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    "raw",
+    base64.toArrayBuffer(secret),
+    { name: "HMAC", hash: "SHA-256" },
+    false,
+    ["sign"]
+  );
+
+  const signature = await crypto.subtle.sign("HMAC", key, encoder.encode(data));
+  return base64.fromArrayBuffer(signature);
+}
+
 /**
  * Automatically retry a request if it fails with an appropriate status code.
  *
