@backstage/plugin-events-backend-module-github 0.2.14-next.2 → 0.2.14

package/CHANGELOG.md

@@ -1,5 +1,31 @@
 # @backstage/plugin-events-backend-module-github
 
+## 0.2.14
+
+### Patch Changes
+
+- 9816f51: Fix the event request validation for incoming requests for GitHub webhook events
+  by using the raw body when verifying the signature.
+- 9816f51: Add raw body information to `RequestDetails`
+  and use the raw body when validating incoming event requests.
+- Updated dependencies
+  - @backstage/config@1.3.0
+  - @backstage/plugin-events-node@0.4.5
+  - @backstage/backend-plugin-api@1.0.2
+
+## 0.2.14-next.3
+
+### Patch Changes
+
+- 9816f51: Fix the event request validation for incoming requests for GitHub webhook events
+  by using the raw body when verifying the signature.
+- 9816f51: Add raw body information to `RequestDetails`
+  and use the raw body when validating incoming event requests.
+- Updated dependencies
+  - @backstage/plugin-events-node@0.4.5-next.3
+  - @backstage/backend-plugin-api@1.0.2-next.2
+  - @backstage/config@1.2.0
+
 ## 0.2.14-next.2
 
 ### Patch Changes

package/dist/http/createGithubSignatureValidator.cjs.js

@@ -6,7 +6,11 @@ function createGithubSignatureValidator(config) {
   const secret = config.getString("events.modules.github.webhookSecret");
   return async (request, context) => {
     const signature = request.headers["x-hub-signature-256"];
-    if (!signature || !await webhooksMethods.verify(secret, JSON.stringify(request.body), signature)) {
+    if (!signature || !await webhooksMethods.verify(
+      secret,
+      request.raw.body.toString(request.raw.encoding),
+      signature
+    )) {
       context.reject({
         status: 403,
         payload: { message: "invalid signature" }

package/dist/http/createGithubSignatureValidator.cjs.js.map

@@ -1 +1 @@
-{"version":3,"file":"createGithubSignatureValidator.cjs.js","sources":["../../src/http/createGithubSignatureValidator.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Config } from '@backstage/config';\nimport {\n  RequestDetails,\n  RequestValidationContext,\n  RequestValidator,\n} from '@backstage/plugin-events-node';\nimport { verify } from '@octokit/webhooks-methods';\n\n/**\n * Validates that the request received is the expected GitHub request\n * using the signature received with the `x-hub-signature-256` header\n * which is based on a secret token configured at GitHub and here.\n *\n * See https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks\n * for more details.\n *\n * @param config - root config\n * @public\n */\nexport function createGithubSignatureValidator(\n  config: Config,\n): RequestValidator {\n  const secret = config.getString('events.modules.github.webhookSecret');\n\n  return async (\n    request: RequestDetails,\n    context: RequestValidationContext,\n  ): Promise<void> => {\n    const signature = request.headers['x-hub-signature-256'] as\n      | string\n      | undefined;\n\n    if (\n      !signature ||\n      !(await verify(secret, JSON.stringify(request.body), signature))\n    ) {\n      context.reject({\n        status: 403,\n        payload: { message: 'invalid signature' },\n      });\n    }\n  };\n}\n"],"names":["verify"],"mappings":";;;;AAmCO,SAAS,+BACd,MACkB,EAAA;AAClB,EAAM,MAAA,MAAA,GAAS,MAAO,CAAA,SAAA,CAAU,qCAAqC,CAAA;AAErE,EAAO,OAAA,OACL,SACA,OACkB,KAAA;AAClB,IAAM,MAAA,SAAA,GAAY,OAAQ,CAAA,OAAA,CAAQ,qBAAqB,CAAA;AAIvD,IAAA,IACE,CAAC,SAAA,IACD,CAAE,MAAMA,sBAAO,CAAA,MAAA,EAAQ,IAAK,CAAA,SAAA,CAAU,OAAQ,CAAA,IAAI,CAAG,EAAA,SAAS,CAC9D,EAAA;AACA,MAAA,OAAA,CAAQ,MAAO,CAAA;AAAA,QACb,MAAQ,EAAA,GAAA;AAAA,QACR,OAAA,EAAS,EAAE,OAAA,EAAS,mBAAoB;AAAA,OACzC,CAAA;AAAA;AACH,GACF;AACF;;;;"}
+{"version":3,"file":"createGithubSignatureValidator.cjs.js","sources":["../../src/http/createGithubSignatureValidator.ts"],"sourcesContent":["/*\n * Copyright 2022 The Backstage Authors\n *\n * Licensed under the Apache License, Version 2.0 (the \"License\");\n * you may not use this file except in compliance with the License.\n * You may obtain a copy of the License at\n *\n *     http://www.apache.org/licenses/LICENSE-2.0\n *\n * Unless required by applicable law or agreed to in writing, software\n * distributed under the License is distributed on an \"AS IS\" BASIS,\n * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n * See the License for the specific language governing permissions and\n * limitations under the License.\n */\n\nimport { Config } from '@backstage/config';\nimport {\n  RequestDetails,\n  RequestValidationContext,\n  RequestValidator,\n} from '@backstage/plugin-events-node';\nimport { verify } from '@octokit/webhooks-methods';\n\n/**\n * Validates that the request received is the expected GitHub request\n * using the signature received with the `x-hub-signature-256` header\n * which is based on a secret token configured at GitHub and here.\n *\n * See https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks\n * for more details.\n *\n * @param config - root config\n * @public\n */\nexport function createGithubSignatureValidator(\n  config: Config,\n): RequestValidator {\n  const secret = config.getString('events.modules.github.webhookSecret');\n\n  return async (\n    request: RequestDetails,\n    context: RequestValidationContext,\n  ): Promise<void> => {\n    const signature = request.headers['x-hub-signature-256'] as\n      | string\n      | undefined;\n\n    if (\n      !signature ||\n      !(await verify(\n        secret,\n        request.raw.body.toString(request.raw.encoding),\n        signature,\n      ))\n    ) {\n      context.reject({\n        status: 403,\n        payload: { message: 'invalid signature' },\n      });\n    }\n  };\n}\n"],"names":["verify"],"mappings":";;;;AAmCO,SAAS,+BACd,MACkB,EAAA;AAClB,EAAM,MAAA,MAAA,GAAS,MAAO,CAAA,SAAA,CAAU,qCAAqC,CAAA;AAErE,EAAO,OAAA,OACL,SACA,OACkB,KAAA;AAClB,IAAM,MAAA,SAAA,GAAY,OAAQ,CAAA,OAAA,CAAQ,qBAAqB,CAAA;AAIvD,IACE,IAAA,CAAC,SACD,IAAA,CAAE,MAAMA,sBAAA;AAAA,MACN,MAAA;AAAA,MACA,QAAQ,GAAI,CAAA,IAAA,CAAK,QAAS,CAAA,OAAA,CAAQ,IAAI,QAAQ,CAAA;AAAA,MAC9C;AAAA,KAEF,EAAA;AACA,MAAA,OAAA,CAAQ,MAAO,CAAA;AAAA,QACb,MAAQ,EAAA,GAAA;AAAA,QACR,OAAA,EAAS,EAAE,OAAA,EAAS,mBAAoB;AAAA,OACzC,CAAA;AAAA;AACH,GACF;AACF;;;;"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@backstage/plugin-events-backend-module-github",
-  "version": "0.2.14-next.2",
+  "version": "0.2.14",
   "backstage": {
     "role": "backend-plugin-module",
     "pluginId": "events",
@@ -31,10 +31,19 @@
   },
   "main": "./dist/index.cjs.js",
   "types": "./dist/index.d.ts",
+  "typesVersions": {
+    "*": {
+      "index": [
+        "dist/index.d.ts"
+      ],
+      "alpha": [
+        "dist/alpha.d.ts"
+      ]
+    }
+  },
   "files": [
     "config.d.ts",
-    "dist",
-    "alpha"
+    "dist"
   ],
   "scripts": {
     "build": "backstage-cli package build",
@@ -46,15 +55,15 @@
     "test": "backstage-cli package test"
   },
   "dependencies": {
-    "@backstage/backend-plugin-api": "1.0.2-next.2",
-    "@backstage/config": "1.2.0",
-    "@backstage/plugin-events-node": "0.4.5-next.2",
+    "@backstage/backend-plugin-api": "^1.0.2",
+    "@backstage/config": "^1.3.0",
+    "@backstage/plugin-events-node": "^0.4.5",
     "@octokit/webhooks-methods": "^3.0.0"
   },
   "devDependencies": {
-    "@backstage/backend-test-utils": "1.1.0-next.2",
-    "@backstage/cli": "0.29.0-next.2",
-    "@backstage/plugin-events-backend-test-utils": "0.1.38-next.2"
+    "@backstage/backend-test-utils": "^1.1.0",
+    "@backstage/cli": "^0.29.0",
+    "@backstage/plugin-events-backend-test-utils": "^0.1.38"
   },
   "configSchema": "config.d.ts"
 }

package/alpha/package.json

@@ -1,6 +0,0 @@
-{
-  "name": "@backstage/plugin-events-backend-module-github__alpha",
-  "version": "0.2.14-next.2",
-  "main": "../dist/alpha.cjs.js",
-  "types": "../dist/alpha.d.ts"
-}