feat: always assume sha256, remove SignOptions

BREAKING CHANGE: The `verify()` and `sign()` methods no longer accept an options object

Author: wolfy1339

src/node/sign.ts

@@ -1,24 +1,7 @@
 import { createHmac } from "node:crypto";
-import { Algorithm, type SignOptions } from "../types.js";
 import { VERSION } from "../version.js";
 
-export async function sign(secret: string, payload: string): Promise<string>;
-export async function sign(
-  options: SignOptions,
-  payload: string,
-): Promise<string>;
-export async function sign(
-  options: SignOptions | string,
-  payload: string,
-): Promise<string> {
-  const { secret, algorithm } =
-    typeof options === "object"
-      ? {
-          secret: options.secret,
-          algorithm: options.algorithm || Algorithm.SHA256,
-        }
-      : { secret: options, algorithm: Algorithm.SHA256 };
-
+export async function sign(secret: string, payload: string): Promise<string> {
   if (!secret || !payload) {
     throw new TypeError(
       "[@octokit/webhooks-methods] secret & payload required for sign()",
@@ -29,11 +12,7 @@ export async function sign(
     throw new TypeError("[@octokit/webhooks-methods] payload must be a string");
   }
 
-  if (!Object.values(Algorithm).includes(algorithm as Algorithm)) {
-    throw new TypeError(
-      `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha256'`,
-    );
-  }
+  const algorithm = "sha256";
 
   return `${algorithm}=${createHmac(algorithm, secret)
     .update(payload)

src/node/verify.ts

@@ -22,11 +22,8 @@ export async function verify(
   }
 
   const signatureBuffer = Buffer.from(signature);
-  const algorithm = "sha256";
 
-  const verificationBuffer = Buffer.from(
-    await sign({ secret, algorithm }, eventPayload),
-  );
+  const verificationBuffer = Buffer.from(await sign(secret, eventPayload));
 
   if (signatureBuffer.length !== verificationBuffer.length) {
     return false;

src/types.ts

@@ -1,5 +1,3 @@
-import { Algorithm, type AlgorithmLike, type SignOptions } from "./types.js";
-
 const enc = new TextEncoder();
 
 function hexToUInt8Array(string: string) {
@@ -20,43 +18,22 @@ function UInt8ArrayToHex(signature: ArrayBuffer) {
     .join("");
 }
 
-function getHMACHashName(algorithm: AlgorithmLike) {
-  return (
-    {
-      [Algorithm.SHA256]: "SHA-256",
-    } as { [key in Algorithm]: string }
-  )[algorithm];
-}
-
-async function importKey(secret: string, algorithm: AlgorithmLike) {
+async function importKey(secret: string) {
   // ref: https://developer.mozilla.org/en-US/docs/Web/API/HmacImportParams
   return crypto.subtle.importKey(
     "raw", // raw format of the key - should be Uint8Array
     enc.encode(secret),
     {
       // algorithm details
       name: "HMAC",
-      hash: { name: getHMACHashName(algorithm) },
+      hash: { name: "sha256" },
     },
     false, // export = false
     ["sign", "verify"], // what this key can do
   );
 }
 
-export async function sign(secret: string, payload: string): Promise<string>;
-export async function sign(
-  options: SignOptions,
-  payload: string,
-): Promise<string>;
-export async function sign(options: SignOptions | string, payload: string) {
-  const { secret, algorithm } =
-    typeof options === "object"
-      ? {
-          secret: options.secret,
-          algorithm: options.algorithm || Algorithm.SHA256,
-        }
-      : { secret: options, algorithm: Algorithm.SHA256 };
-
+export async function sign(secret: string, payload: string): Promise<string> {
   if (!secret || !payload) {
     throw new TypeError(
       "[@octokit/webhooks-methods] secret & payload required for sign()",
@@ -67,15 +44,10 @@ export async function sign(options: SignOptions | string, payload: string) {
     throw new TypeError("[@octokit/webhooks-methods] payload must be a string");
   }
 
-  if (!Object.values(Algorithm).includes(algorithm as Algorithm)) {
-    throw new TypeError(
-      `[@octokit/webhooks] Algorithm ${algorithm} is not supported. Must be 'sha256'`,
-    );
-  }
-
+  const algorithm = "sha256";
   const signature = await crypto.subtle.sign(
     "HMAC",
-    await importKey(secret, algorithm),
+    await importKey(secret),
     enc.encode(payload),
   );
 
@@ -102,7 +74,7 @@ export async function verify(
   const algorithm = "sha256";
   return await crypto.subtle.verify(
     "HMAC",
-    await importKey(secret, algorithm),
+    await importKey(secret),
     hexToUInt8Array(signature.replace(`${algorithm}=`, "")),
     enc.encode(eventPayload),
   );

src/web.ts

@@ -45,32 +45,13 @@ describe("sign", () => {
   });
 
   describe("with eventPayload as string", () => {
-    describe("returns expected sha1 signature", () => {
+    describe("returns expected sha256 signature", () => {
       test("sign(secret, eventPayload)", async () => {
         const signature = await sign(secret, JSON.stringify(eventPayload));
         expect(signature).toBe(
           "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3",
         );
       });
-
-      test("sign({secret}, eventPayload)", async () => {
-        const signature = await sign({ secret }, JSON.stringify(eventPayload));
-        expect(signature).toBe(
-          "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3",
-        );
-      });
-    });
-
-    describe("returns expected sha256 signature", () => {
-      test("sign({secret, algorithm: 'sha256'}, eventPayload)", async () => {
-        const signature = await sign(
-          { secret, algorithm: "sha256" },
-          JSON.stringify(eventPayload),
-        );
-        expect(signature).toBe(
-          "sha256=4864d2759938a15468b5df9ade20bf161da9b4f737ea61794142f3484236bda3",
-        );
-      });
     });
   });