feat: add webhook verify utility function to node (#457)

mjcuva · domharrington · web-flow · commit 3cefdb9daf20 · 2022-07-19T11:40:26.000+01:00
* feat: add webhook verify utility function to node

* fix: try to fix regex warning

* fix: remove crypto package

This is in core and doesnt need to come from npm

* fix(webhooks): expired signature test

This test was throwing an error, but not the Expired Signature error
that we were expecting. It was throwing because we were passing in
`new Date()` into the test instead of `Date.now()`.

I've fixed all of the tests here, and ensured that we're casting to int
when constructing the new Date() in verify()

* fix(webhook): switch to using esm syntax for imports

* feat(webhooks): add integration test for node/express

* feat(webhooks): add integration testing layer like the regular one

* chore(webhooks): lint

* chore(webhooks): lint

* refactor(webhooks): replace regex with a string.split solution

Inspired by stripe-node

* refactor(webhooks): rename `verify()` to `verifyWebhook()'

* fix(webhooks): add code to account for missing/empty signature

* chore: lint

Co-authored-by: Dom Harrington &lt;domharrington@protonmail.com&gt;
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -39,6 +39,7 @@ jobs:
 
     - run: docker-compose run integration_node_express
     - run: docker-compose run integration_node_hapi
+    - run: docker-compose run integration_webhooks_node_express
 
     - name: Cleanup
       if: always()
diff --git a/__tests__/integration-webhooks.test.js b/__tests__/integration-webhooks.test.js
@@ -0,0 +1,123 @@
+import http from 'http';
+import crypto from 'crypto';
+import { cwd } from 'process';
+import { spawn } from 'child_process';
+
+import getPort from 'get-port';
+
+if (!process.env.EXAMPLE_SERVER) {
+  // eslint-disable-next-line no-console
+  console.error('Missing `EXAMPLE_SERVER` environment variable');
+  process.exit(1);
+}
+
+function post(url, body, options) {
+  return new Promise((resolve, reject) => {
+    const request = http
+      .request(url, { method: 'post', ...options }, response => {
+        response.end = new Promise(res => {
+          response.on('end', res);
+        });
+        resolve(response);
+      })
+      .on('error', reject);
+
+    request.write(body);
+    request.end();
+  });
+}
+
+const randomApiKey = 'rdme_abcdefghijklmnopqrstuvwxyz';
+
+describe('Metrics SDK Webhook Integration Tests', () => {
+  let httpServer;
+  let PORT;
+
+  beforeAll(async () => {
+    const [command, ...args] = process.env.EXAMPLE_SERVER.split(' ');
+    PORT = await getPort();
+
+    httpServer = spawn(command, args, {
+      cwd: cwd(),
+      env: {
+        README_API_KEY: randomApiKey,
+        PORT,
+        ...process.env,
+      },
+    });
+    return new Promise((resolve, reject) => {
+      httpServer.stderr.on('data', data => {
+        // For some reason Flask prints on stderr 🤷‍♂️
+        if (data.toString().match(/Running on/)) return resolve();
+        // eslint-disable-next-line no-console
+        console.error(`stderr: ${data}`);
+        return reject(data.toString());
+      });
+      httpServer.on('error', err => {
+        // eslint-disable-next-line no-console
+        console.error('error', err);
+        return reject(err.toString());
+      });
+      // eslint-disable-next-line consistent-return
+      httpServer.stdout.on('data', data => {
+        if (data.toString().match(/listening/)) return resolve();
+        // eslint-disable-next-line no-console
+        console.log(`stdout: ${data}`);
+      });
+    });
+  });
+
+  afterAll(() => {
+    return httpServer.kill();
+  });
+
+  it('should return with a user object if the signature is correct', async () => {
+    const time = Date.now();
+    const body = {
+      email: 'dom@readme.io',
+    };
+    const unsigned = `${time}.${JSON.stringify(body)}`;
+    const hmac = crypto.createHmac('sha256', randomApiKey);
+    const output = `t=${time},v0=${hmac.update(unsigned).digest('hex')}`;
+
+    const response = await post(`http://localhost:${PORT}/webhook`, JSON.stringify(body), {
+      headers: {
+        'readme-signature': output,
+        'content-type': 'application/json',
+      },
+    });
+    let responseBody = '';
+    // eslint-disable-next-line no-restricted-syntax
+    for await (const chunk of response) {
+      responseBody += chunk;
+    }
+    responseBody = JSON.parse(responseBody);
+
+    expect(response.statusCode).toBe(200);
+    expect(responseBody).toMatchObject({
+      petstore_auth: 'default-key',
+      basic_auth: { user: 'user', pass: 'pass' },
+    });
+  });
+
+  it('should return with a 401 if the signature is not correct', async () => {
+    const response = await post(`http://localhost:${PORT}/webhook`, JSON.stringify({ email: 'dom@readme.io' }), {
+      headers: {
+        'readme-signature': 'adsdsdas',
+        'content-type': 'application/json',
+      },
+    });
+
+    expect(response.statusCode).toBe(401);
+  });
+
+  it('should return with a 401 if the signature is empty/missing', async () => {
+    const response = await post(`http://localhost:${PORT}/webhook`, JSON.stringify({ email: 'dom@readme.io' }), {
+      headers: {
+        'content-type': 'application/json',
+      },
+    });
+
+    expect(response.statusCode).toBe(401);
+  });
+});
diff --git a/__tests__/integrations/node.Dockerfile b/__tests__/integrations/node.Dockerfile
@@ -18,6 +18,6 @@ RUN npm ci
 
 # Install top level dependencies
 WORKDIR /src
-ADD __tests__ ./
+ADD __tests__ ./__tests__
 ADD package*.json ./
 RUN npm ci
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -4,30 +4,38 @@ services:
     build:
       context: .
       dockerfile: ./__tests__/integrations/node.Dockerfile
-    command: npm run test:integration
+    command: npm run test:integration-metrics
     environment:
       - EXAMPLE_SERVER=node ./packages/node/examples/express/index.js
 
+  integration_webhooks_node_express:
+    build:
+      context: .
+      dockerfile: ./__tests__/integrations/node.Dockerfile
+    command: npm run test:integration-webhooks
+    environment:
+      - EXAMPLE_SERVER=node ./packages/node/examples/express/webhook.js
+
   integration_node_hapi:
     build:
       context: .
       dockerfile: ./__tests__/integrations/node.Dockerfile
-    command: npm run test:integration
+    command: npm run test:integration-metrics
     environment:
       - EXAMPLE_SERVER=node ./packages/node/examples/hapi/index.js
 
   integration_dotnet_v6.0:
     build:
       context: .
       dockerfile: ./__tests__/integrations/dotnet.Dockerfile
-    command: npm run test:integration
+    command: npm run test:integration-metrics
     environment:
       - EXAMPLE_SERVER=dotnet examples/net6.0/out/net6.0.dll
 
   integration_python_flask:
     build:
       context: .
       dockerfile: ./__tests__/integrations/python.Dockerfile
-    command: npm run test:integration
+    command: npm run test:integration-metrics
     environment:
       - EXAMPLE_SERVER=python examples/flask/app.py
diff --git a/package.json b/package.json
@@ -7,7 +7,8 @@
     "prepare": "husky install",
     "publish": "npx lerna publish",
     "test": "npm test --workspaces",
-    "test:integration": "NODE_OPTIONS=--experimental-vm-modules npx jest",
+    "test:integration-metrics": "NODE_OPTIONS=--experimental-vm-modules npx jest __tests__/integration.test.js",
+    "test:integration-webhooks": "NODE_OPTIONS=--experimental-vm-modules npx jest __tests__/integration-webhooks.test.js",
     "version": "npx conventional-changelog-cli --pkg lerna.json -i CHANGELOG.md -s && git add CHANGELOG.md"
   },
   "repository": {
diff --git a/packages/node/__tests__/lib/verify-webhook.test.ts b/packages/node/__tests__/lib/verify-webhook.test.ts
@@ -0,0 +1,54 @@
+import crypto from 'crypto';
+
+import verifyWebhook from '../../src/lib/verify-webhook';
+
+describe('verifyWebhook()', () => {
+  it('should return the body if the signature is valid', () => {
+    const body = { email: 'marc@readme.io' };
+    const secret = 'docs4dayz';
+    const time = Date.now();
+    const unsigned = `${time}.${JSON.stringify(body)}`;
+    const hmac = crypto.createHmac('sha256', secret);
+    const signature = `t=${time},v0=${hmac.update(unsigned).digest('hex')}`;
+
+    const verifiedBody = verifyWebhook(body, signature, secret);
+    expect(verifiedBody).toStrictEqual(body);
+  });
+
+  it('should throw an error if signature is invalid', () => {
+    const body = { email: 'marc@readme.io' };
+    const secret = 'docs4dayz';
+    const time = Date.now();
+    const unsigned = `${time}.${JSON.stringify(body)}`;
+    const hmac = crypto.createHmac('sha256', 'invalidsecret');
+    const signature = `t=${time},v0=${hmac.update(unsigned).digest('hex')}`;
+
+    expect(() => {
+      verifyWebhook(body, signature, secret);
+    }).toThrow(/Invalid Signature/);
+  });
+
+  it('should throw an error if timestamp is too old', () => {
+    const body = { email: 'marc@readme.io' };
+    const secret = 'docs4dayz';
+    const time = new Date();
+    time.setHours(time.getHours() - 1);
+    const unsigned = `${time.getTime()}.${JSON.stringify(body)}`;
+    const hmac = crypto.createHmac('sha256', secret);
+    const signature = `t=${time.getTime()},v0=${hmac.update(unsigned).digest('hex')}`;
+
+    expect(() => {
+      verifyWebhook(body, signature, secret);
+    }).toThrow(/Expired Signature/);
+  });
+
+  it('should throw an error if signature is missing', () => {
+    const body = { email: 'marc@readme.io' };
+    const secret = 'docs4dayz';
+    const signature = undefined;
+
+    expect(() => {
+      verifyWebhook(body, signature, secret);
+    }).toThrow(/Missing Signature/);
+  });
+});
diff --git a/packages/node/examples/express/package-lock.json b/packages/node/examples/express/package-lock.json
diff --git a/packages/node/examples/express/webhook.js b/packages/node/examples/express/webhook.js
@@ -0,0 +1,46 @@
+#!/usr/bin/env node
+
+import express from 'express';
+import readme from 'readmeio';
+
+if (!process.env.README_API_KEY) {
+  // eslint-disable-next-line no-console
+  console.error('Missing `README_API_KEY` environment variable');
+  process.exit(1);
+}
+
+const app = express();
+const port = process.env.PORT || 4000;
+
+app.post('/webhook', express.json({ type: 'application/json' }), (req, res) => {
+  // Verify the request is legitimate and came from ReadMe
+  const signature = req.headers['readme-signature'];
+  // Your ReadMe secret
+  const secret = process.env.README_API_KEY;
+  try {
+    readme.verifyWebhook(req.body, signature, secret);
+  } catch (e) {
+    // Handle invalid requests
+    return res.sendStatus(401);
+  }
+  // Fetch the user from the db
+  // eslint-disable-next-line @typescript-eslint/no-use-before-define, @typescript-eslint/no-unused-vars
+  return db.find({ email: req.body.email }).then(user => {
+    return res.json({
+      // OAS Security variables
+      petstore_auth: 'default-key',
+      basic_auth: { user: 'user', pass: 'pass' },
+    });
+  });
+});
+
+const server = app.listen(port, 'localhost', function () {
+  // eslint-disable-next-line no-console
+  console.log('Example app listening at http://%s:%s', server.address().address, port);
+});
+
+class db {
+  static find() {
+    return Promise.resolve({});
+  }
+}
diff --git a/packages/node/package-lock.json b/packages/node/package-lock.json
diff --git a/packages/node/src/index.ts b/packages/node/src/index.ts
@@ -1,6 +1,9 @@
 /**
  * @deprecated use expressMiddleware instead
  */
+import verifyWebhook from './lib/verify-webhook';
+
 export { expressMiddleware as metrics } from './lib/express-middleware';
 export { expressMiddleware } from './lib/express-middleware';
 export { log } from './lib/metrics-log';
+export { verifyWebhook };
diff --git a/packages/node/src/lib/verify-webhook.ts b/packages/node/src/lib/verify-webhook.ts
