fix: handles verify error (#917)

handles verify error

Author: nickfloyd

.github/workflows/release.yml

@@ -5,7 +5,7 @@ on:
       - master
       - next
       - beta
-      - "v*.x" # maintenance release branches, e.g. v1.x
+      - "*.x" # maintenance release branches, e.g. 1.x
 jobs:
   release:
     name: release

src/verify-and-receive.ts

@@ -20,7 +20,7 @@ export async function verifyAndReceive(
       ? toNormalizedJsonString(event.payload)
       : event.payload,
     event.signature
-  );
+  ).catch(() => false);
 
   if (!matchesSignature) {
     const error = new Error(

test/integration/node-middleware.test.ts

@@ -500,4 +500,51 @@ describe("createNodeMiddleware(webhooks)", () => {
 
     server.close();
   });
+
+  test("Handles invalid signature", async () => {
+    expect.assertions(3);
+
+    const webhooks = new Webhooks({
+      secret: "mySecret",
+    });
+
+    webhooks.onError((error) => {
+      expect(error.message).toContain(
+        "signature does not match event payload and secret"
+      );
+    });
+
+    const log = {
+      debug: jest.fn(),
+      info: jest.fn(),
+      warn: jest.fn(),
+      error: jest.fn(),
+    };
+    const middleware = createNodeMiddleware(webhooks, { log });
+    const server = createServer(middleware).listen();
+
+    // @ts-expect-error complains about { port } although it's included in returned AddressInfo interface
+    const { port } = server.address();
+
+    const response = await fetch(
+      `http://localhost:${port}/api/github/webhooks`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-GitHub-Delivery": "1",
+          "X-GitHub-Event": "push",
+          "X-Hub-Signature-256": "",
+        },
+        body: pushEventPayload,
+      }
+    );
+
+    expect(response.status).toEqual(400);
+    await expect(response.text()).resolves.toContain(
+      "Error: [@octokit/webhooks] signature does not match event payload and secret"
+    );
+
+    server.close();
+  });
 });