How to use Buffer.from() with crypto.timingSafeEqual()?

出于某种原因我得到

TypeError [ERR_INVALID_ARG_TYPE]: The first argument must be of type string or an instance of Buffer, ArrayBuffer, or Array or an Array-like Object. Received undefined

从两个论点到

crypto.timingSafeEqual(a, b)

我也试过了

const a = Buffer.from(signature, 'utf8').toString('base64');
const b = Buffer.from(expectedSignature, 'utf8').toString('base64');

我得到了同样的错误。

问题

谁能弄清楚为什么参数不是缓冲区？

const express = require("express");
const bodyParser = require("body-parser");
const crypto = require('crypto');
const secret = "x";

const app = express();
const PORT = 8080;

app.use(bodyParser.json());

function isSigOk(request, secret) {
    // calculate the signature
    const expectedSignature = "sha256=" +
        crypto.createHmac("sha256", secret)
            .update(JSON.stringify(request.body))
            .digest("hex");

    // compare the signature against the one in the request
    const signature = request.headers["X-Hub-Signature-256"];
    const a = Buffer.from(signature);
    const b = Buffer.from(expectedSignature);
    return crypto.timingSafeEqual(a, b);
};

app.post("/", (req, res) => {
  if (isSigOk(req, secret)) {
    // Do stuff here
  } else {
    console.log('Error: Signatures does not match. Return res.status(401)');
  };
  res.status(200).end();
});

// Start express on the defined port
app.listen(PORT, () => console.log(`Github wekhook listening on port ${PORT}`));

我看到两个问题：

1. 第一个也是主要的是

   isSigOk

   假设will是

   "X-Hub-Signature-256"

   标题的值：

   const signature = request.headers["X-Hub-Signature-256"];
   const a = Buffer.from(signature);
   

   如果

   Buffer.from

   是

   signature

   ，那么

   undefined

   调用将抛出您引用的错误，因为标题不存在。在这种情况下，您可能想返回

   false

   （并且可能通过稍微重新排序来跳过计算预期签名的开销），请参阅

   ***

   评论和相关行：

   function isSigOk(request, secret) {
       // *** get the signature on this message, if any
       const signature = request.headers["X-Hub-Signature-256"];
       if (!signature) {
           // *** none
           return false;
       }
       // calculate the signature
       const expectedSignature = "sha256=" +
           crypto.createHmac("sha256", secret)
               .update(JSON.stringify(request.body))
               .digest("hex");
   
       // compare the signature against the one in the request
       const a = Buffer.from(signature);
       const b = Buffer.from(expectedSignature);
       return crypto.timingSafeEqual(a, b);
   };
   

2. 资本问题。根据Node.js 文档（Express 的

   Request

   对象继承自Node.js 的

   IncomingMessage

   ），

   headers

   的名称是小写的。所以

   request.headers["X-Hub-Signature-256"]

   应该是

   request.headers["x-hub-signature-256"]

   。 （在评论中你说你得到了一个值，但是评论使用了全部小写，而代码使用了混合大小写。）所以：

   function isSigOk(request, secret) {
       // *** get the signature on this message, if any
       const signature = request.headers["x-hub-signature-256"]; // *** Lowercase
       if (!signature) {
           // *** none
           return false;
       }
       // calculate the signature
       const expectedSignature = "sha256=" +
           crypto.createHmac("sha256", secret)
               .update(JSON.stringify(request.body))
               .digest("hex");
   
       // compare the signature against the one in the request
       const a = Buffer.from(signature);
       const b = Buffer.from(expectedSignature);
       return a.length === b.length && crypto.timingSafeEqual(a, b);
   };
   

   注意其中的

   a.length === b.length &&

   部分。如果缓冲区长度不同，

   timingSafeEqual

   将抛出错误，但我们希望在这种情况下返回 false。