deed

    1.0.1 • Public • Published

    deed - verify x-hub-signature

    deed verifies X-Hub-Signature headers, which are a simple way to verify HTTP POST requests. For example, this can be used to authorize requests to callback URLs, say, from GitHub webhooks or the Facebook API.

    Build Status

    Example

    var deed = require('deed')
    var http = require('http')
     
    http.createServer(function (req, res) {
      deed('secret', req, function (er, req) {
        res.end(er ? 'sorry' : 'ok')
      })
    }).listen(1337)

    Types

    cb(er, req)

    The callback receives an error, if the verification failed, otherwise null and the authorized request are passed.

    • er The error if an error occured or verification failed.
    • req The verified request.

    Exports

    deed(secret, req, cb)

    The sole function exported by the deed module checks if the request body, hashed with the secret, matches the X-Hub-Signature header.

    • secret String() The key to hash the payload with.
    • req http.IncomingMessage() The request to verify.
    • cb cb()

    The client must generate an HMAC signature of the payload and include that signature in the request headers. The X-Hub-Signature header's value must be sha1=signature, where signature is a hexadecimal representation of a SHA1 signature. The signature must be computed using the HMAC algorithm with the request body as the data and the secret as the key.

    deed recomputes the SHA1 signature with the shared secret using the same method as the client. If the signature does not match, the request cannot be verified and should probably be dropped.

    Originally this technique has been decribed in the PubSubHubbub spec.

    Installation

    With npm do:

    npm install deed
    

    License

    MIT

    Install

    npm i deed

    DownloadsWeekly Downloads

    0

    Version

    1.0.1

    License

    MIT

    Last publish

    Collaborators

    • avatar