From 449b15967762bc18f722e649102ffc91e26f364e Mon Sep 17 00:00:00 2001
From: Gregor Martynus <39992+gr2m@users.noreply.github.com>
Date: Tue, 14 Nov 2023 13:21:13 -0800
Subject: [PATCH] fix: handle error thrown by `verify` method (#914)

* test: handle error thrown by `verify` method

* fix: handle error thrown by `verify` method

* test: remove `.only`
---
 src/verify-and-receive.ts                |  2 +-
 test/integration/node-middleware.test.ts | 47 ++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/src/verify-and-receive.ts b/src/verify-and-receive.ts
index 022b30b3..2165ab2b 100644
--- a/src/verify-and-receive.ts
+++ b/src/verify-and-receive.ts
@@ -14,7 +14,7 @@ export async function verifyAndReceive(
     state.secret,
     event.payload,
     event.signature,
-  );
+  ).catch(() => false);
 
   if (!matchesSignature) {
     const error = new Error(
diff --git a/test/integration/node-middleware.test.ts b/test/integration/node-middleware.test.ts
index 121807ab..51d7eb13 100644
--- a/test/integration/node-middleware.test.ts
+++ b/test/integration/node-middleware.test.ts
@@ -604,4 +604,51 @@ describe("createNodeMiddleware(webhooks)", () => {
 
     server.close();
   });
+
+  test("Handles invalid signature", async () => {
+    expect.assertions(3);
+
+    const webhooks = new Webhooks({
+      secret: "mySecret",
+    });
+
+    webhooks.onError((error) => {
+      expect(error.message).toContain(
+        "signature does not match event payload and secret",
+      );
+    });
+
+    const log = {
+      debug: jest.fn(),
+      info: jest.fn(),
+      warn: jest.fn(),
+      error: jest.fn(),
+    };
+    const middleware = createNodeMiddleware(webhooks, { log });
+    const server = createServer(middleware).listen();
+
+    // @ts-expect-error complains about { port } although it's included in returned AddressInfo interface
+    const { port } = server.address();
+
+    const response = await fetch(
+      `http://localhost:${port}/api/github/webhooks`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-GitHub-Delivery": "1",
+          "X-GitHub-Event": "push",
+          "X-Hub-Signature-256": "",
+        },
+        body: pushEventPayload,
+      },
+    );
+
+    expect(response.status).toEqual(400);
+    await expect(response.text()).resolves.toBe(
+      '{"error":"Error: [@octokit/webhooks] signature does not match event payload and secret"}',
+    );
+
+    server.close();
+  });
 });