deed
v1.0.1
Published
Verify x-hub-signature
Downloads
5
Maintainers
Readme
deed - verify x-hub-signature
deed verifies X-Hub-Signature
headers, which are a simple way to verify HTTP POST requests. For example, this can be used to authorize requests to callback URLs, say, from GitHub webhooks or the Facebook API.
Example
var deed = require('deed')
var http = require('http')
http.createServer(function (req, res) {
deed('secret', req, function (er, req) {
res.end(er ? 'sorry' : 'ok')
})
}).listen(1337)
Types
cb(er, req)
The callback receives an error, if the verification failed, otherwise null
and the authorized request are passed.
er
The error if an error occured or verification failed.req
The verified request.
Exports
deed(secret, req, cb)
The sole function exported by the deed module checks if the request body, hashed with the secret, matches the X-Hub-Signature
header.
secret
String()
The key to hash the payload with.req
http.IncomingMessage()
The request to verify.cb
cb()
The client must generate an HMAC signature of the payload and include that signature in the request headers. The X-Hub-Signature
header's value must be sha1=signature
, where signature is a hexadecimal representation of a SHA1 signature. The signature must be computed using the HMAC algorithm with the request body as the data and the secret as the key.
deed recomputes the SHA1 signature with the shared secret using the same method as the client. If the signature does not match, the request cannot be verified and should probably be dropped.
Originally this technique has been decribed in the PubSubHubbub spec.
Installation
With npm do:
npm install deed