fix(webhooks): use @noble/hashes instead of crypto for signing

Finch-API · Nov 20, 2024 · e6575de · e6575de
1 parent 2f1568c
commit e6575de
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 9 deletions.
diff --git a/package.json b/package.json
@@ -24,6 +24,7 @@
     "fix": "./scripts/format"
   },
   "dependencies": {
+    "@noble/hashes": "^1.5.0",
     "@types/node": "^18.11.18",
     "@types/node-fetch": "^2.6.4",
     "abort-controller": "^3.0.0",

diff --git a/src/core.ts b/src/core.ts
@@ -1178,14 +1178,14 @@ export const getHeader = (headers: HeadersLike | Headers, header: string): strin
 /**
  * Encodes a string to Base64 format.
  */
-export const toBase64 = (str: string | null | undefined): string => {
+export const toBase64 = (str: string | Uint8Array | null | undefined): string => {
   if (!str) return '';
   if (typeof Buffer !== 'undefined') {
     return Buffer.from(str).toString('base64');
   }
 
   if (typeof btoa !== 'undefined') {
-    return btoa(str);
+    return btoa(typeof str === 'string' ? str : String(str));
   }
 
   throw new FinchError('Cannot generate b64 string; Expected `Buffer` or `btoa` to be defined');

diff --git a/src/resources/webhooks.ts b/src/resources/webhooks.ts
@@ -3,8 +3,9 @@
 import { APIResource } from '../resource';
 import * as Shared from './shared';
 import * as BenefitsAPI from './hris/benefits/benefits';
-import { createHmac } from 'crypto';
-import { getRequiredHeader, HeadersLike } from '../core';
+import { getRequiredHeader, HeadersLike, toBase64 } from '../core';
+import { hmac } from '@noble/hashes/hmac';
+import { sha256 } from '@noble/hashes/sha2';
 
 export class Webhooks extends APIResource {
   /**
@@ -40,11 +41,8 @@ export class Webhooks extends APIResource {
   ) {
     const encoder = new TextEncoder();
     const toSign = encoder.encode(`${eventId}.${timestamp.getTime() / 1000}.${payload}`);
-
-    const hmac = createHmac('sha256', secret);
-    hmac.update(toSign);
-
-    return `v1,${hmac.digest('base64')}`;
+    const signed = toBase64(hmac(sha256, secret, toSign));
+    return `v1,${signed}`;
   }
 
   /** Make an assertion, if not `true`, then throw. */

diff --git a/yarn.lock b/yarn.lock
@@ -617,6 +617,11 @@
     "@jridgewell/resolve-uri" "^3.1.0"
     "@jridgewell/sourcemap-codec" "^1.4.14"
 
+"@noble/hashes@^1.5.0":
+  version "1.5.0"
+  resolved "https://registry.yarnpkg.com/@noble/hashes/-/hashes-1.5.0.tgz#abadc5ca20332db2b1b2aa3e496e9af1213570b0"
+  integrity sha512-1j6kQFb7QRru7eKN3ZDvRcP13rugwdxZqCjbiAVZfIJwgj2A65UmT4TgARXGlXgnRkORLTDTrO19ZErt7+QXgA==
+
 "@nodelib/[email protected]":
   version "2.1.5"
   resolved "https://registry.yarnpkg.com/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz#7619c2eb21b25483f6d167548b4cfd5a7488c3d5"