Drop dependency + use built-in base64url (#1156)

* Drop dependency + use built-in `base64url` [`create-hmac`](https://github.com/browserify/createHmac) is meant for compat between node and browser compat and was last updated in 2018. Computing the HMAC signature on the client (browser) does not make any sense in 99% of the use-cases, as the secrets would be needed on the client side. This means that we can drop browser support and just use the native node module, which is also exported by the `create-hmac` when running on node. `Buffer.toString()` also accepts "base64url" as an encoding, so we can drop the `urlSafeBase64` in favor of that. * Use encoder from hmac instance
imgproxy · May 24, 2023 · 524434b · 524434b
1 parent 5a7b606
commit 524434b
Showing 1 changed file with 3 additions and 6 deletions.
diff --git a/examples/signature.js b/examples/signature.js
@@ -1,19 +1,16 @@
-const createHmac = require('create-hmac')
+import { createHmac } from 'node:crypto';
 
 const KEY = '943b421c9eb07c830af81030552c86009268de4e532ba2ee2eab8247c6da0881'
 const SALT = '520f986b998545b4785e0defbc4f3c1203f22de2374a3d53cb7a7fe9fea309c5'
 
-const urlSafeBase64 = (string) => {
-  return Buffer.from(string).toString('base64').replace(/=/g, '').replace(/\+/g, '-').replace(/\//g, '_')
-}
-
 const hexDecode = (hex) => Buffer.from(hex, 'hex')
 
 const sign = (salt, target, secret) => {
   const hmac = createHmac('sha256', hexDecode(secret))
   hmac.update(hexDecode(salt))
   hmac.update(target)
-  return urlSafeBase64(hmac.digest())
+
+  return hmac.digest('base64url')
 }
 
 const path = "/rs:fit:300:300/plain/http://img.example.com/pretty/image.jpg"