X-Hub-Signature is a compact way to validate real-time updates, such as webhooks from Facebook and GitHub.
Requires Node.js 16+
To install:
npm install x-hub-signature-middleware --save
To validate incoming webhooks signed with X-Hub-Signature
, use the bundled Express middleware.
const { xHubSignatureMiddleware } = require('x-hub-signature');
app.use(xHubSignatureMiddleware({
algorithm: 'sha1',
secret: 'secret',
require: true,
getRawBody: req => req.rawBody
}));
Options:
algorithm
(required) -sha1
or other desired signing algorithmsecret
(required) - signing secret that the webhook was signed withrequire
(optional) - boolean, whether to require the presence of theX-Hub-Signature
header. If true, throws an HTTP 400 error if the header is not present. If false, the middleware will pass the request on if the header is not present, and validate the header only if it is present. (default:true
)getRawBody
(optional) - function that acceptsreq
as the first argument and returns the raw body. If you use the bundled body-parser verifier (see below), you don't need to set this option.header
(optional) - the default header isX-Hub-Signature
. Forsha256
, the header needs to beX-Hub-Signature-256
.
A very common case is to have body-parser middleware globally defined. This produces complications for the x-hub-signature middleware, since it needs a copy of the raw unparsed body, and body-parser
by default does not save this on the request.
In this case, you can use the bundled extractRawBody
verifier function with body-parser. This will set a reference to the buffered raw (unparsed) body to req.rawBody
:
const bodyParser = require('body-parser');
const {xHubSignatureMiddleware, extractRawBody} = require('x-hub-signature-middleware');
app.use(bodyParser.json({
verify: extractRawBody
}))
app.use(xHubSignatureMiddleware({
algorithm: 'sha1',
secret: 'secret',
require: true
}));
MIT License
This project was based on express-x-hub by Alex Curtis.