feat(webhookValidator): Add wh signature validator

Add webhook signature checker

Author: pcholuj

package.json

@@ -25,7 +25,7 @@
     "test": "npm run lint && jest",
     "test:watch": "npm t -- --watch",
     "test:codecov": "npx codecov",
-    "docs": "trash build/docs && typedoc src && opn build/docs/index.html",
+    "docs": "trash build/docs && typedoc src",
     "docs:publish": "npm run docs && gh-pages -d build/docs",
     "release": "standard-version",
     "prepare": "npm run build",

src/index.ts

@@ -15,7 +15,7 @@
  * limitations under the License.
  */
 
-import { SecurityOptions, getSecurity } from './lib/api/security';
+import { SecurityOptions, getSecurity, validateWebhookSignature, WebhookValidatePayload } from './lib/api/security';
 import { Client, ClientOptions } from './lib/client';
 import { TransformSchema } from './schema/transforms.schema';
 
@@ -42,4 +42,6 @@ export {
   TransformSchema,
   SecurityOptions,
   getSecurity,
+  validateWebhookSignature,
+  WebhookValidatePayload
 };

src/lib/api/security.spec.browser.ts

@@ -15,7 +15,7 @@
  * limitations under the License.
  */
 
-import { getSecurity } from './security';
+import { getSecurity, validateWebhookSignature } from './security';
 import * as utils from './../utils';
 
 describe('api/security', () => {
@@ -35,4 +35,19 @@ describe('api/security', () => {
       expect(() => getSecurity(policy, appSecret)).toThrowError('getSecurity is only supported in nodejs');
     });
   });
+
+  describe('validateWebhookSignature', () => {
+    it('should throw not supported error', () => {
+      const testRawData = '{"id": 6844, "action": "fp.upload", "timestamp": 1559199901, "text": {"url": "http://cdn.filestackapi.dev/xK88QArxRiyVvFzo4p33", "client": "Computer", "data": {"filename": "01 (1).png", "type": "image/png", "size": 881855}}}';
+
+      const correctSignature = {
+        signature: '14495b54b246e1352bb69cd91c5c1bfe2221f2d0330414b3df8f5fb2903db730',
+        timestamp: '1559199901',
+      };
+
+      const secret = 'Y5cWb1rdRDSTSqEjF5pv';
+
+      expect(() => validateWebhookSignature(secret, testRawData, correctSignature)).toThrowError('validateWebhookSignature is only supported in nodejs');
+    });
+  });
 });

src/lib/api/security.spec.node.ts

@@ -15,7 +15,7 @@
  * limitations under the License.
  */
 
-import { getSecurity } from './security';
+import { getSecurity, validateWebhookSignature } from './security';
 
 describe('api:security', () => {
   describe('getSecurity', () => {
@@ -28,7 +28,8 @@ describe('api:security', () => {
       const appSecret = 'testAppSecret';
       const result = getSecurity(policy, appSecret);
       const expected = {
-        policy: 'eyJleHBpcnkiOjE1MjM1OTU2MDAsImNhbGwiOlsicGljayIsInJlYWQiLCJzdGF0Iiwid3JpdGUiLCJ3cml0ZVVybCIsInN0b3JlIiwiY29udmVydCIsInJlbW92ZSIsImV4aWYiLCJydW5Xb3JrZmxvdyJdLCJoYW5kbGUiOiJURVNUX0hBTkRMRSJ9',
+        policy:
+          'eyJleHBpcnkiOjE1MjM1OTU2MDAsImNhbGwiOlsicGljayIsInJlYWQiLCJzdGF0Iiwid3JpdGUiLCJ3cml0ZVVybCIsInN0b3JlIiwiY29udmVydCIsInJlbW92ZSIsImV4aWYiLCJydW5Xb3JrZmxvdyJdLCJoYW5kbGUiOiJURVNUX0hBTkRMRSJ9',
         signature: '7df0536104cdcc16370ad6494cdbda30c9773a62eec6e5153fa539544db6206e',
       };
       expect(result).toEqual(expected);
@@ -45,4 +46,19 @@ describe('api:security', () => {
       expect(() => getSecurity(policy, appSecret)).toThrowError('Invalid security params');
     });
   });
+
+  describe('validateWebhookSignature', () => {
+    it('should pass validation on proper signature', () => {
+      const testRawData = '{"id": 6844, "action": "fp.upload", "timestamp": 1559199901, "text": {"url": "http://cdn.filestackapi.dev/xK88QArxRiyVvFzo4p33", "client": "Computer", "data": {"filename": "01 (1).png", "type": "image/png", "size": 881855}}}';
+
+      const correctSignature = {
+        signature: '14495b54b246e1352bb69cd91c5c1bfe2221f2d0330414b3df8f5fb2903db730',
+        timestamp: '1559199901',
+      };
+
+      const secret = 'Y5cWb1rdRDSTSqEjF5pv';
+
+      expect(validateWebhookSignature(secret, testRawData, correctSignature)).toBeTruthy();
+    });
+  });
 });

src/lib/api/security.ts

@@ -68,3 +68,28 @@ export const getSecurity = (policyOptions: SecurityOptions, appSecret: string):
 
   return { policy, signature };
 };
+
+export interface WebhookValidatePayload {
+  timestamp: string;
+  signature: string;
+}
+
+/**
+ * Check webhook signature
+ *
+ * @param secret - app secred
+ * @param rawBody - unchanged raw webhook body
+ * @param toCompare - data from wh response headers
+ */
+export const validateWebhookSignature = (secret: string, rawBody: string, toCompare: WebhookValidatePayload) => {
+  if (!isNode()) {
+    throw new Error('validateWebhookSignature is only supported in nodejs');
+  }
+
+  const hash = requireNode('crypto')
+                .createHmac('sha256', secret)
+                .update(`${toCompare.timestamp}.${rawBody}`)
+                .digest('hex');
+
+  return hash === toCompare.signature;
+};

src/schema/picker.schema.ts

@@ -140,7 +140,6 @@ export const PickerParamsSchema = {
         {
           type: 'integer',
           minimum: 1,
-          maximum: 1000000,
         },
       ],
     },
@@ -152,7 +151,6 @@ export const PickerParamsSchema = {
         {
           type: 'integer',
           minimum: 1,
-          maximum: 1000000,
         },
       ],
     },
@@ -164,7 +162,6 @@ export const PickerParamsSchema = {
         {
           type: 'integer',
           minimum: 1,
-          maximum: 1000000,
         },
       ],
     },