Skip to content


Browse files Browse the repository at this point in the history
Drop dependency + use built-in base64url (#1156)
* Drop dependency + use built-in `base64url`

[`create-hmac`]( is meant for compat between node and browser compat and was last updated in 2018.

Computing the HMAC signature on the client (browser) does not make any sense in 99% of the use-cases, as the secrets would be needed on the client side.
This means that we can drop browser support and just use the native node module, which is also exported by the `create-hmac` when running on node.

`Buffer.toString()` also accepts "base64url" as an encoding, so we can drop the `urlSafeBase64` in favor of that.

* Use encoder from hmac instance
  • Loading branch information
nikeee committed May 24, 2023
1 parent 5a7b606 commit 524434b
Showing 1 changed file with 3 additions and 6 deletions.
9 changes: 3 additions & 6 deletions examples/signature.js
@@ -1,19 +1,16 @@
const createHmac = require('create-hmac')
import { createHmac } from 'node:crypto';

const KEY = '943b421c9eb07c830af81030552c86009268de4e532ba2ee2eab8247c6da0881'
const SALT = '520f986b998545b4785e0defbc4f3c1203f22de2374a3d53cb7a7fe9fea309c5'

const urlSafeBase64 = (string) => {
return Buffer.from(string).toString('base64').replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_')

const hexDecode = (hex) => Buffer.from(hex, 'hex')

const sign = (salt, target, secret) => {
const hmac = createHmac('sha256', hexDecode(secret))
return urlSafeBase64(hmac.digest())

return hmac.digest('base64url')

const path = "/rs:fit:300:300/plain/"
Expand Down

0 comments on commit 524434b

Please sign in to comment.