feat: remove SHA1 support

BREAKING CHANGE: remove SHA1 support

Author: wolfy1339

src/node/sign.ts

@@ -31,7 +31,7 @@ export async function sign(
 
   if (!Object.values(Algorithm).includes(algorithm as Algorithm)) {
     throw new TypeError(
-      `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be  'sha1' or 'sha256'`,
+      `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha256'`,
     );
   }
 

src/node/verify.ts

@@ -3,7 +3,6 @@ import { Buffer } from "node:buffer";
 
 import { sign } from "./sign.js";
 import { VERSION } from "../version.js";
-import { getAlgorithm } from "../utils.js";
 
 export async function verify(
   secret: string,
@@ -23,7 +22,7 @@ export async function verify(
   }
 
   const signatureBuffer = Buffer.from(signature);
-  const algorithm = getAlgorithm(signature);
+  const algorithm = "sha256";
 
   const verificationBuffer = Buffer.from(
     await sign({ secret, algorithm }, eventPayload),

src/types.ts

@@ -1,9 +1,8 @@
 export enum Algorithm {
-  SHA1 = "sha1",
   SHA256 = "sha256",
 }
 
-export type AlgorithmLike = Algorithm | "sha1" | "sha256";
+export type AlgorithmLike = Algorithm | "sha256";
 
 export type SignOptions = {
   secret: string;

src/utils.ts

@@ -1,5 +1,4 @@
 import { Algorithm, type AlgorithmLike, type SignOptions } from "./types.js";
-import { getAlgorithm } from "./utils.js";
 
 const enc = new TextEncoder();
 
@@ -24,7 +23,6 @@ function UInt8ArrayToHex(signature: ArrayBuffer) {
 function getHMACHashName(algorithm: AlgorithmLike) {
   return (
     {
-      [Algorithm.SHA1]: "SHA-1",
       [Algorithm.SHA256]: "SHA-256",
     } as { [key in Algorithm]: string }
   )[algorithm];
@@ -71,7 +69,7 @@ export async function sign(options: SignOptions | string, payload: string) {
 
   if (!Object.values(Algorithm).includes(algorithm as Algorithm)) {
     throw new TypeError(
-      `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be  'sha1' or 'sha256'`,
+      `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha256'`,
     );
   }
 
@@ -101,7 +99,7 @@ export async function verify(
     );
   }
 
-  const algorithm = getAlgorithm(signature);
+  const algorithm = "sha256";
   return await crypto.subtle.verify(
     "HMAC",
     await importKey(secret, algorithm),

src/web.ts

@@ -40,7 +40,7 @@ describe("sign", () => {
       // @ts-expect-error
       sign({ secret, algorithm: "sha2" }, JSON.stringify(eventPayload)),
     ).rejects.toThrow(
-      "[@octokit/webhooks] Algorithm sha2 is not supported. Must be  'sha1' or 'sha256'",
+      "[@octokit/webhooks] Algorithm sha2 is not supported. Must be 'sha256'",
     );
   });
 
@@ -59,14 +59,6 @@ describe("sign", () => {
           "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3",
         );
       });
-
-      test("sign({secret, algorithm: 'sha1'}, eventPayload)", async () => {
-        const signature = await sign(
-          { secret, algorithm: "sha1" },
-          JSON.stringify(eventPayload),
-        );
-        expect(signature).toBe("sha1=d03207e4b030cf234e3447bac4d93add4c6643d8");
-      });
     });
 
     describe("returns expected sha256 signature", () => {

test/sign.test.ts

@@ -11,7 +11,6 @@ function toNormalizedJsonString(payload: object) {
 const JSONeventPayload = { foo: "bar" };
 const eventPayload = toNormalizedJsonString(JSONeventPayload);
 const secret = "mysecret";
-const signatureSHA1 = "sha1=640c0ea7402a3f74e1767338fa2dba243b1f2d9c";
 const signatureSHA256 =
   "sha256=e3eccac34c43c7dc1cbb905488b1b81347fcc700a7b025697a9d07862256023f";
 
@@ -52,49 +51,6 @@ describe("verify", () => {
     );
   });
 
-  test("verify(secret, eventPayload, signatureSHA1) returns true for correct signature", async () => {
-    const signatureMatches = await verify(secret, eventPayload, signatureSHA1);
-    expect(signatureMatches).toBe(true);
-  });
-
-  test("verify(secret, eventPayload, signatureSHA1) returns false for incorrect signature", async () => {
-    const signatureMatches = await verify(secret, eventPayload, "foo");
-    expect(signatureMatches).toBe(false);
-  });
-
-  test("verify(secret, eventPayload, signatureSHA1) returns false for correct secret", async () => {
-    const signatureMatches = await verify("foo", eventPayload, signatureSHA1);
-    expect(signatureMatches).toBe(false);
-  });
-
-  test("verify(secret, eventPayload, signatureSHA1) returns true if eventPayload contains special characters (#71)", async () => {
-    // https://github.com/octokit/webhooks.js/issues/71
-    const signatureMatchesLowerCaseSequence = await verify(
-      "development",
-      toNormalizedJsonString({
-        foo: "Foo\n\u001b[34mbar: ♥♥♥♥♥♥♥♥\nthis-is-lost\u001b[0m\u001b[2K",
-      }),
-      "sha1=82a91c5aacc9cdc2eea893bc828bd03d218df79c",
-    );
-    expect(signatureMatchesLowerCaseSequence).toBe(true);
-    const signatureMatchesUpperCaseSequence = await verify(
-      "development",
-      toNormalizedJsonString({
-        foo: "Foo\n\u001B[34mbar: ♥♥♥♥♥♥♥♥\nthis-is-lost\u001B[0m\u001B[2K",
-      }),
-      "sha1=82a91c5aacc9cdc2eea893bc828bd03d218df79c",
-    );
-    expect(signatureMatchesUpperCaseSequence).toBe(true);
-    const signatureMatchesEscapedSequence = await verify(
-      "development",
-      toNormalizedJsonString({
-        foo: "\\u001b",
-      }),
-      "sha1=bdae4705bdd827d026bb227817ca025b5b3a6756",
-    );
-    expect(signatureMatchesEscapedSequence).toBe(true);
-  });
-
   test("verify(secret, eventPayload, signatureSHA256) returns true for correct signature", async () => {
     const signatureMatches = await verify(
       secret,