feat: use verifyWithFallback to support secret rotation

src/index.ts

@@ -54,10 +54,12 @@ class Webhooks<TTransformed = unknown> {
 
     const state: State & {
       secret: string;
+      additionalSecrets?: undefined | string[];
       eventHandler: EventHandler<TTransformed>;
     } = {
       eventHandler: createEventHandler(options),
       secret: options.secret,
+      additionalSecrets: options.additionalSecrets,
       hooks: {},
       log: createLogger(options.log),
     };

src/types.ts

@@ -38,6 +38,7 @@ interface BaseWebhookEvent<TName extends WebhookEventName> {
 
 export interface Options<TTransformed = unknown> {
   secret?: string;
+  additionalSecrets?: undefined | string[];
   transform?: TransformMethod<TTransformed>;
   log?: Partial<Logger>;
 }

src/verify-and-receive.ts

@@ -1,4 +1,4 @@
-import { verify } from "@octokit/webhooks-methods";
+import { verifyWithFallback } from "@octokit/webhooks-methods";
 
 import type {
   EmitterWebhookEvent,
@@ -13,10 +13,11 @@ export async function verifyAndReceive(
   event: EmitterWebhookEventWithStringPayloadAndSignature,
 ): Promise<void> {
   // verify will validate that the secret is not undefined
-  const matchesSignature = await verify(
+  const matchesSignature = await verifyWithFallback(
     state.secret,
     event.payload,
     event.signature,
+    state.additionalSecrets,
   ).catch(() => false);
 
   if (!matchesSignature) {

test/integration/node-middleware.test.ts

@@ -639,6 +639,47 @@ describe("createNodeMiddleware(webhooks)", () => {
 
     server.close();
   });
+
+  test("Additional secrets", async () => {
+    const signatureSha256AdditionalSecret = await sign(
+      "additionalSecret2",
+      pushEventPayload,
+    );
+
+    expect.assertions(3);
+
+    const webhooks = new Webhooks({
+      secret: "mySecret",
+      additionalSecrets: ["additionalSecret1", "additionalSecret2"],
+    });
+
+    webhooks.on("push", (event) => {
+      expect(event.id).toBe("123e4567-e89b-12d3-a456-426655440000");
+    });
+
+    const server = createServer(createNodeMiddleware(webhooks)).listen();
+
+    const { port } = server.address() as AddressInfo;
+
+    const response = await fetch(
+      `http://localhost:${port}/api/github/webhooks`,
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-GitHub-Delivery": "123e4567-e89b-12d3-a456-426655440000",
+          "X-GitHub-Event": "push",
+          "X-Hub-Signature-256": signatureSha256AdditionalSecret,
+        },
+        body: pushEventPayload,
+      },
+    );
+
+    expect(response.status).toEqual(200);
+    await expect(response.text()).resolves.toBe("ok\n");
+
+    server.close();
+  });
 });
 
 test("request.body is already an Object and has request.rawBody as Buffer (e.g. GCF)", async () => {