What does this repo signal mean?

DigitalOcean (GradientAI) published digitalocean/webhook-sdk-javascript (TypeScript). This repository signal exposes tooling, eval, infrastructure, or model-adjacent work before it may appear in a launch post. High-signal details: repo digitalocean/webhook-sdk-javascript · language TypeScript. onlylabs links this event to 1 captured evidence page and 6 related repo signals.

DigitalOcean (GradientAI) Repo: digitalocean/webhook-sdk-javascript

Captured source

source ↗

GitHub/github.com/digitalocean/webhook-sdk-javascript

digitalocean/webhook-sdk-javascript repository metadata

Source ↗

published Feb 25, 2023seen 5dcaptured 13hhttp 200method plain

digitalocean/webhook-sdk-javascript

Language: TypeScript

License: Apache-2.0

Stars: 4

Forks: 0

Open issues: 3

Created: 2023-02-25T16:52:30Z

Pushed: 2024-01-11T13:46:23Z

Default branch: main

Fork: no

Archived: no

README:

@digitalocean/webhook-sdk

Getting Started

Install the package:

npm install @digitalocean/webhook-sdk

yarn add @digitalocean/webhook-sdk

Verifying a payload signature

Use Signature.parse and signature.verify to verify an incoming webhook payload request.

Important: Make sure to pass the body of the request to signature.verify raw without formatting it to avoid slight mismatches and thus failures to verify the signature. By default, your HTTP server might parse the incoming JSON and provide an object in the body. The example below uses express.raw specifically to prevent that.

const { Signature, HTTPHeaderSignature } = require('@digitalocean/webhook-sdk')
const express = require('express');
const { createServer } = require('http');

const app = express();
const server = createServer(app);

const SECRET = process.env.SIGNATURE_SECRET

app.post('/webhook', express.raw({ type: 'application/json' }), async (req, res) => {
try {
const signatureHeader = req.headers[HTTPHeaderSignature];
const signature = Signature.parse(signatureHeader);
signature.verify(req.body, SECRET);
res.status(200).send('verified');
} catch (error) {
return res.status(401).send(`failed to verify: ${error.message}`)
}
});

server.listen(8080, function () {
console.log('Listening on http://0.0.0.0:8080');
});

Signing a payload using a secret

Use Signature.createSignature to sign a payload.

app.post('/sign', express.raw({ type: 'application/json' }), (req, res) => {
try {
const signature = Signature.createSignature({
payload: req.body,
secrets: [SECRET],
timestamp: Date.now()
})
return res.status(200).send(signature.toString())
} catch (error) {
return res.status(500).send(`failed to sign payload: ${error.message}`, )
}
})

Signature and Request Format

Header: do-signature

Format: t={ts},v1={sig}

ts: The current unix timestamp at the time the request is made. This may change across retries.

v1: Indicates the signature scheme version. Currently, only v1 is available.

Examples:

one secret
t=1492774577,v1=5257a869e7ecee108d8bd
two secrets
t=1492774577,v1=5257a869e7ecee108d8bd,v1=cee108d8bd5257a869e7e
one secret, two scheme versions
t=1492774577,v2=1fe71593b0c,v1=5257a869e7ecee108d8bd
two secrets, two scheme versions
t=1492774577,v2=1fe71593b0c,v2=3190e6d8151ac120,v1=5257a869e7ecee108d8bd,v1=cee108d8bd5257a869e7e

License

This package is licensed under the [Apache License 2.0](LICENSE).