Accept array of secrets, not just one #777
Conversation
We don't really have to do anything special here for constant-timedness. Since each comparison is constant time, the only timing differential is between all checks (completely) failing and some check (completely) succeeding, and so the only thing learned is whether a guess was completely right or wrong.
And plumb through the option of taking an array of secrets
Add typechecking and integration tests Mention this ability in the README FIXES #770
nwf-msr
force-pushed
the
202212-770-secrets
branch
from
b6e31fe to
2dc6152
Compare
|
can you look into the failing tests? Please don't force-push changes, we don't mind a messy commit history in pull requests, we squash & merge them in the end anyway |
There's doubtless a better way to do this, but Promise.any doesn't seem to be available.
|
What'd I do to make CodeQL unhappy? :( |
|
It's not you, it's CodeQL being uncooperative. Just ignore it |
There was a problem hiding this comment.
I think the pull request looks good as is.
Good point about the .sign() method. Given that the first secret in a given array of secrets has special meaning, I wonder if it would make more sense to keep the secret as is, but add an additional option such as alternativeSecrets or maybe some other name that better conveys that these secrets are used for incoming request verification only?
My understanding is that in your case, there will always only be one other secret. Do you see a use case where more than two secrets would be needed to be provided?
| then update your Webhook receiver to accept only the new secret. Signatures will | ||
| always be made with the first secret. |
There was a problem hiding this comment.
| then update your Webhook receiver to accept only the new secret. Signatures will | |
| always be made with the first secret. | |
| then update your Webhook receiver to accept only the new secret. New signatures will | |
| be calculated using the first secret. |
| @@ -111,11 +123,14 @@ new Webhooks({ secret /*, transform */ }); | |||
| <code> | |||
| secret | |||
| </code> | |||
| <em>(String)</em> | |||
| <em>(String or String Array)</em> | |||
There was a problem hiding this comment.
| <em>(String or String Array)</em> | |
| <em>(String or Array of Strings)</em> |
| Secret as configured in GitHub Settings. If an array of strings, an | ||
| incoming webhook event will be accepted if its signature verifies | ||
| with any of the secrets given and signatures will always be generated | ||
| with the first secret. |
There was a problem hiding this comment.
| Secret as configured in GitHub Settings. If an array of strings, an | |
| incoming webhook event will be accepted if its signature verifies | |
| with any of the secrets given and signatures will always be generated | |
| with the first secret. | |
| Secret as configured in GitHub Settings. If set to an array of strings, a | |
| webhook request will be accepted if its signature verifies | |
| with any of the given secrets. New signatures will always be | |
| calculated using the first secret. |
That makes sense. I'll take a stab at that approach.
That's true and no, I don't see reason to need more than one active and one retiring secret, at least, at the moment. I'm tempted to leave |
|
maybe call them |
|
Belatedly, I've raised #811 . |
|
Instead of opening a separate PR, you could have simply reused this one. Closing in favour of #811 |
|
I didn't reuse this one because I was advised not to force-push changes and enough time had elapsed that doing the work on a new checkout seemed wise. |
|
When you need to update using a rebase, a force-push can be warranted. |
Resolves #770.
Behavior
Before the change?
After the change?
Additional info
Pull request checklist
Does this introduce a breaking change?
Pull request type
I do not seem to be able to add labels, but please add
Type: Featurefor me?