fix: compute webhook signature with and without escaping the body (box/box-codegen#737) (#627)

Co-authored-by: box-sdk-build <[email protected]>

Author: box-sdk-build

.codegen.json

@@ -1 +1 @@
-{ "engineHash": "c17f683", "specHash": "630fc85", "version": "1.15.1" }
+{ "engineHash": "3d59200", "specHash": "630fc85", "version": "1.15.1" }

package-lock.json

@@ -267,10 +267,12 @@ export function createAgent(options?: AgentOptions, proxyConfig?: any): Agent {
  * @private
  */
 export function jsonStringifyWithEscapedUnicode(body: string) {
-  return body.replace(
-    /[\u007f-\uffff]/g,
-    (char) => `\\u${`0000${char.charCodeAt(0).toString(16)}`.slice(-4)}`,
-  );
+  return body
+    .replace(
+      /[\u007f-\uffff]/g,
+      (char) => `\\u${`0000${char.charCodeAt(0).toString(16)}`.slice(-4)}`,
+    )
+    .replace(/(?<!\\)\//g, '\\/');
 }
 
 /**
@@ -289,11 +291,9 @@ export async function computeWebhookSignature(
     [key: string]: string;
   },
   signatureKey: string,
+  escapeBody: boolean = false,
 ): Promise<string | null> {
-  const escapedBody = jsonStringifyWithEscapedUnicode(body).replace(
-    /(?<!\\)\//g,
-    '\\/',
-  );
+  const escapedBody = escapeBody ? jsonStringifyWithEscapedUnicode(body) : body;
   if (headers['box-signature-version'] !== '1') {
     return null;
   }

src/internal/utilsBrowser.ts

@@ -215,17 +215,19 @@ export function createAgent(options?: AgentOptions, proxyConfig?: any): Agent {
 }
 
 /**
- * Stringify JSON with escaped multibyte Unicode characters to ensure computed signatures match PHP's default behavior
+ * Stringify JSON with escaped multibyte Unicode characters and slashes to ensure computed signatures match PHP's default behavior
  *
  * @param {Object} body - The parsed JSON object
  * @returns {string} - Stringified JSON with escaped multibyte Unicode characters
  * @private
  */
 export function jsonStringifyWithEscapedUnicode(body: string) {
-  return body.replace(
-    /[\u007f-\uffff]/g,
-    (char) => `\\u${`0000${char.charCodeAt(0).toString(16)}`.slice(-4)}`,
-  );
+  return body
+    .replace(
+      /[\u007f-\uffff]/g,
+      (char) => `\\u${`0000${char.charCodeAt(0).toString(16)}`.slice(-4)}`,
+    )
+    .replace(/(?<!\\)\//g, '\\/');
 }
 
 /**
@@ -235,6 +237,7 @@ export function jsonStringifyWithEscapedUnicode(body: string) {
  * @param {string} body - The request body of the webhook message
  * @param {Object} headers - The request headers of the webhook message
  * @param {string} signatureKey - The signature to verify the message with
+ * @param {string} escapeBody - Indicates if payload should be escaped or left as is
  * @returns {?string} - The message signature (or null, if it can't be computed)
  * @private
  */
@@ -244,11 +247,9 @@ export async function computeWebhookSignature(
     [key: string]: string;
   },
   signatureKey: string,
+  escapeBody: boolean = false,
 ): Promise<string | null> {
-  const escapedBody = jsonStringifyWithEscapedUnicode(body).replace(
-    /(?<!\\)\//g,
-    '\\/',
-  );
+  const escapedBody = escapeBody ? jsonStringifyWithEscapedUnicode(body) : body;
   if (headers['box-signature-version'] !== '1') {
     return null;
   }

src/internal/utilsNode.ts

@@ -680,14 +680,28 @@ export class WebhooksManager {
     }
     if (
       primaryKey &&
-      (await computeWebhookSignature(body, headers, primaryKey)) ==
+      (await computeWebhookSignature(body, headers, primaryKey, false)) ==
         headers['box-signature-primary']
     ) {
       return true;
     }
+    if (
+      primaryKey &&
+      (await computeWebhookSignature(body, headers, primaryKey, true)) ==
+        headers['box-signature-primary']
+    ) {
+      return true;
+    }
+    if (
+      secondaryKey &&
+      (await computeWebhookSignature(body, headers, secondaryKey, false)) ==
+        headers['box-signature-secondary']
+    ) {
+      return true;
+    }
     if (
       secondaryKey &&
-      (await computeWebhookSignature(body, headers, secondaryKey)) ==
+      (await computeWebhookSignature(body, headers, secondaryKey, true)) ==
         headers['box-signature-secondary']
     ) {
       return true;

src/managers/webhooks.generated.ts

@@ -196,11 +196,13 @@ test('testWebhookValidation', async function testWebhookValidation(): Promise<an
         body,
         { ...headers, ...{ ['box-delivery-timestamp']: currentDatetime } },
         primaryKey,
+        true,
       ),
       ['box-signature-secondary']: await computeWebhookSignature(
         body,
         { ...headers, ...{ ['box-delivery-timestamp']: currentDatetime } },
         secondaryKey,
+        true,
       ),
     },
   };
@@ -217,6 +219,7 @@ test('testWebhookValidation', async function testWebhookValidation(): Promise<an
           ...{ ['box-delivery-timestamp']: currentDatetime },
         },
         primaryKey,
+        true,
       ),
       ['box-signature-secondary']: await computeWebhookSignature(
         bodyWithJapanese,
@@ -225,6 +228,7 @@ test('testWebhookValidation', async function testWebhookValidation(): Promise<an
           ...{ ['box-delivery-timestamp']: currentDatetime },
         },
         secondaryKey,
+        true,
       ),
     },
   };
@@ -238,11 +242,13 @@ test('testWebhookValidation', async function testWebhookValidation(): Promise<an
         body,
         { ...headers, ...{ ['box-delivery-timestamp']: futureDatetime } },
         primaryKey,
+        true,
       ),
       ['box-signature-secondary']: await computeWebhookSignature(
         body,
         { ...headers, ...{ ['box-delivery-timestamp']: futureDatetime } },
         secondaryKey,
+        true,
       ),
     },
   };
@@ -256,11 +262,13 @@ test('testWebhookValidation', async function testWebhookValidation(): Promise<an
         body,
         { ...headers, ...{ ['box-delivery-timestamp']: pastDatetime } },
         primaryKey,
+        true,
       ),
       ['box-signature-secondary']: await computeWebhookSignature(
         body,
         { ...headers, ...{ ['box-delivery-timestamp']: pastDatetime } },
         secondaryKey,
+        true,
       ),
     },
   };
@@ -272,23 +280,23 @@ test('testWebhookValidation', async function testWebhookValidation(): Promise<an
   } = { ...headers, ...{ ['box-signature-algorithm']: 'HmacSHA1' } };
   if (
     !(
-      (await computeWebhookSignature(body, headers, primaryKey)) ==
+      (await computeWebhookSignature(body, headers, primaryKey, true)) ==
       headers['box-signature-primary']
     )
   ) {
     throw new Error('Assertion failed');
   }
   if (
     !(
-      (await computeWebhookSignature(body, headers, secondaryKey)) ==
+      (await computeWebhookSignature(body, headers, secondaryKey, true)) ==
       headers['box-signature-secondary']
     )
   ) {
     throw new Error('Assertion failed');
   }
   if (
     !!(
-      (await computeWebhookSignature(body, headers, incorrectKey)) ==
+      (await computeWebhookSignature(body, headers, incorrectKey, true)) ==
       headers['box-signature-primary']
     )
   ) {
@@ -300,6 +308,7 @@ test('testWebhookValidation', async function testWebhookValidation(): Promise<an
         bodyWithJapanese,
         headersWithJapanese,
         primaryKey,
+        true,
       )) == headersWithJapanese['box-signature-primary']
     )
   ) {
@@ -311,6 +320,7 @@ test('testWebhookValidation', async function testWebhookValidation(): Promise<an
         bodyWithEmoji,
         headersWithEmoji,
         primaryKey,
+        true,
       )) == headersWithEmoji['box-signature-primary']
     )
   ) {
@@ -322,6 +332,7 @@ test('testWebhookValidation', async function testWebhookValidation(): Promise<an
         bodyWithCarriageReturn,
         headersWithCarriageReturn,
         primaryKey,
+        true,
       )) == headersWithCarriageReturn['box-signature-primary']
     )
   ) {
@@ -333,6 +344,7 @@ test('testWebhookValidation', async function testWebhookValidation(): Promise<an
         bodyWithForwardSlash,
         headersWithForwardSlash,
         primaryKey,
+        true,
       )) == headersWithForwardSlash['box-signature-primary']
     )
   ) {
@@ -344,6 +356,7 @@ test('testWebhookValidation', async function testWebhookValidation(): Promise<an
         bodyWithBackSlash,
         headersWithBackSlash,
         primaryKey,
+        true,
       )) == headersWithBackSlash['box-signature-primary']
     )
   ) {