为什么我的 Github 秘密会失败(每次事件都会更改)?
Why does my Github secret fail (change on each event)?
我正在尝试验证 Github webhook 秘密,但每次我触发 Github 中的事件时,req.headers['x-hub-signature']) 的值都会发生变化,这没有意义。
NodeJs: sha1=b57ad18e45f71ac069d15618f6ca547ed75bb2e9
Github: sha1=0b6ff08d557b240dbadedb2a0c1054ce69f2d93e <----
NodeJs: sha1=b57ad18e45f71ac069d15618f6ca547ed75bb2e9
Github: sha1=15e3d5edae00951abb180e9eaea9a6278d8f8d0b <----
注意每次来自 Githit hub 的秘密都不一样!
我找到了其他验证秘密的人,但我看不出他们的代码与我的代码有何不同。
- https://humanwhocodes.com/snippets/2020/08/validate-github-webhook-signature-nodejs/
- https://gist.github.com/kiewic/a419b8e47b3baf9a301dee598d6ade87
- HMAC Signature doesn't match x-hub-signature from github
- https://gist.github.com/stigok/57d075c1cf2a609cb758898c0b202428
问题
谁能弄清楚为什么我在每次活动中从 Github 那里得到不同的秘密?还是我做错了什么?
const express = require("express");
const bodyParser = require("body-parser");
const crypto = require('crypto');
const secret = "x";
const app = express();
const PORT = 8080;
app.use(bodyParser.json());
app.post("/", (req, res) => {
let sig = "sha1=" + crypto.createHmac('sha1', secret).digest('hex');
console.log('NodeJs: ' + sig);
console.log('Github: ' + req.headers['x-hub-signature']);
res.status(200).end();
});
app.listen(PORT, () => console.log(`Github wekhook listening on port ${PORT}`));
req.headers['x-hub-signature']) 不是秘密的散列,而是用秘密签名的 req.body。这就是为什么每个事件都不同。
const express = require("express");
const bodyParser = require("body-parser");
const crypto = require('crypto');
const secret = "x";
const app = express();
const PORT = 8080;
app.use(bodyParser.json());
function isSigOk(request, secret) {
// calculate the signature
const expectedSignature = "sha1=" +
crypto.createHmac("sha1", secret)
.update(JSON.stringify(request.body))
.digest("hex");
// compare the signature against the one in the request
const signature = request.headers["x-hub-signature"];
if (signature !== expectedSignature) {
throw new Error("Invalid signature.");
};
};
app.post("/", (req, res) => {
// will throw an error if not ok
isSigOk(req, secret);
// Do stuff here
res.status(200).end();
});
app.listen(PORT, () => console.log(`Github wekhook listening on port ${PORT}`));
我正在尝试验证 Github webhook 秘密,但每次我触发 Github 中的事件时,req.headers['x-hub-signature']) 的值都会发生变化,这没有意义。
NodeJs: sha1=b57ad18e45f71ac069d15618f6ca547ed75bb2e9
Github: sha1=0b6ff08d557b240dbadedb2a0c1054ce69f2d93e <----
NodeJs: sha1=b57ad18e45f71ac069d15618f6ca547ed75bb2e9
Github: sha1=15e3d5edae00951abb180e9eaea9a6278d8f8d0b <----
注意每次来自 Githit hub 的秘密都不一样!
我找到了其他验证秘密的人,但我看不出他们的代码与我的代码有何不同。
- https://humanwhocodes.com/snippets/2020/08/validate-github-webhook-signature-nodejs/
- https://gist.github.com/kiewic/a419b8e47b3baf9a301dee598d6ade87
- HMAC Signature doesn't match x-hub-signature from github
- https://gist.github.com/stigok/57d075c1cf2a609cb758898c0b202428
问题
谁能弄清楚为什么我在每次活动中从 Github 那里得到不同的秘密?还是我做错了什么?
const express = require("express");
const bodyParser = require("body-parser");
const crypto = require('crypto');
const secret = "x";
const app = express();
const PORT = 8080;
app.use(bodyParser.json());
app.post("/", (req, res) => {
let sig = "sha1=" + crypto.createHmac('sha1', secret).digest('hex');
console.log('NodeJs: ' + sig);
console.log('Github: ' + req.headers['x-hub-signature']);
res.status(200).end();
});
app.listen(PORT, () => console.log(`Github wekhook listening on port ${PORT}`));
req.headers['x-hub-signature']) 不是秘密的散列,而是用秘密签名的 req.body。这就是为什么每个事件都不同。
const express = require("express");
const bodyParser = require("body-parser");
const crypto = require('crypto');
const secret = "x";
const app = express();
const PORT = 8080;
app.use(bodyParser.json());
function isSigOk(request, secret) {
// calculate the signature
const expectedSignature = "sha1=" +
crypto.createHmac("sha1", secret)
.update(JSON.stringify(request.body))
.digest("hex");
// compare the signature against the one in the request
const signature = request.headers["x-hub-signature"];
if (signature !== expectedSignature) {
throw new Error("Invalid signature.");
};
};
app.post("/", (req, res) => {
// will throw an error if not ok
isSigOk(req, secret);
// Do stuff here
res.status(200).end();
});
app.listen(PORT, () => console.log(`Github wekhook listening on port ${PORT}`));