Fix validateWebhook interfaces and update tests

Author: aron

index.d.ts

@@ -340,16 +340,20 @@ declare module "replicate" {
   }
 
   export function validateWebhook(
-    requestData:
-      | Request
-      | {
-          id?: string;
-          timestamp?: string;
-          body: string;
-          secret?: string;
-          signature?: string;
-        },
-    secret: string
+    request: Request,
+    secret: string,
+    crypto?: Crypto
+  ): Promise<boolean>;
+
+  export function validateWebhook(
+    requestData: {
+      id: string;
+      timestamp: string;
+      signature: string;
+      body: string;
+      secret: string;
+    },
+    crypto?: Crypto
   ): Promise<boolean>;
 
   export function parseProgressFromLogs(logs: Prediction | string): {

index.test.ts

@@ -9,6 +9,7 @@ import Replicate, {
 } from "replicate";
 import nock from "nock";
 import { createReadableStream } from "./lib/stream";
+import { webcrypto } from "node:crypto";
 
 let client: Replicate;
 const BASE_URL = "https://api.replicate.com/v1";
@@ -1779,9 +1780,40 @@ describe("Replicate client", () => {
 
       // This is a test secret and should not be used in production
       const secret = "whsec_MfKQ9r8GKYqrTwjUPD8ILPZIo2LaLaSw";
+      if (globalThis.crypto) {
+        const isValid = await validateWebhook(request, secret);
+        expect(isValid).toBe(true);
+      } else {
+        const isValid = await validateWebhook(
+          request,
+          secret,
+          webcrypto as Crypto // Node 18 requires this to be passed manually
+        );
+        expect(isValid).toBe(true);
+      }
+    });
 
-      const isValid = await validateWebhook(request, secret);
-      expect(isValid).toBe(true);
+    test("Can be used to validate webhook", async () => {
+      // Test case from https://github.com/svix/svix-webhooks/blob/b41728cd98a7e7004a6407a623f43977b82fcba4/javascript/src/webhook.test.ts#L190-L200
+      const requestData = {
+        id: "msg_p5jXN8AQM9LWM0D4loKWxJek",
+        timestamp: "1614265330",
+        signature: "v1,g0hM9SsE+OTPJTGt/tmIKtSyZlE3uFJELVlNIOLJ1OE=",
+        body: `{"test": 2432232314}`,
+        secret: "whsec_MfKQ9r8GKYqrTwjUPD8ILPZIo2LaLaSw",
+      };
+
+      // This is a test secret and should not be used in production
+      if (globalThis.crypto) {
+        const isValid = await validateWebhook(requestData);
+        expect(isValid).toBe(true);
+      } else {
+        const isValid = await validateWebhook(
+          requestData,
+          webcrypto as Crypto // Node 18 requires this to be passed manually
+        );
+        expect(isValid).toBe(true);
+      }
     });
 
     // Add more tests for error handling, edge cases, etc.

lib/util.js

@@ -10,6 +10,7 @@ const { create: createFile } = require("./files");
  * @param {string} requestData.body - The raw body of the incoming webhook request.
  * @param {string} requestData.secret - The webhook secret, obtained from `replicate.webhooks.defaul.secret` method.
  * @param {string} requestData.signature - The webhook signature header from the incoming request, comprising one or more space-delimited signatures.
+ * @param {Crypto} [crypto] - An optional `Crypto` implementation that conforms to the [browser Crypto interface](https://developer.mozilla.org/en-US/docs/Web/API/Window/crypto)
  */
 
 /**
@@ -22,6 +23,7 @@ const { create: createFile } = require("./files");
  * @param {string} requestData.headers["webhook-signature"] - The webhook signature header from the incoming request, comprising one or more space-delimited signatures
  * @param {string} requestData.body - The raw body of the incoming webhook request
  * @param {string} secret - The webhook secret, obtained from `replicate.webhooks.defaul.secret` method
+ * @param {Crypto} [crypto] - An optional `Crypto` implementation that conforms to the [browser Crypto interface](https://developer.mozilla.org/en-US/docs/Web/API/Window/crypto)
  */
 
 /**
@@ -30,9 +32,13 @@ const { create: createFile } = require("./files");
  * @returns {Promise<boolean>} - True if the signature is valid
  * @throws {Error} - If the request is missing required headers, body, or secret
  */
-async function validateWebhook(requestData, secret) {
-  let { id, timestamp, body, signature } = requestData;
-  const signingSecret = secret || requestData.secret;
+async function validateWebhook(requestData, secretOrCrypto, customCrypto) {
+  let id;
+  let body;
+  let timestamp;
+  let signature;
+  let secret;
+  let crypto = globalThis.crypto;
 
   if (requestData && requestData.headers && requestData.body) {
     if (typeof requestData.headers.get === "function") {
@@ -47,6 +53,19 @@ async function validateWebhook(requestData, secret) {
       signature = requestData.headers["webhook-signature"];
     }
     body = requestData.body;
+    secret = secretOrCrypto;
+    if (customCrypto) {
+      crypto = customCrypto;
+    }
+  } else {
+    id = requestData.id;
+    body = requestData.body;
+    timestamp = requestData.timestamp;
+    signature = requestData.signature;
+    secret = requestData.secret;
+    if (secretOrCrypto) {
+      crypto = secretOrCrypto;
+    }
   }
 
   if (body instanceof ReadableStream || body.readable) {
@@ -71,15 +90,22 @@ async function validateWebhook(requestData, secret) {
     throw new Error("Missing required body");
   }
 
-  if (!signingSecret) {
+  if (!secret) {
     throw new Error("Missing required secret");
   }
 
+  if (!crypto) {
+    throw new Error(
+      'Missing `crypto` implementation. If using Node 18 pass in require("node:crypto").webcrypto'
+    );
+  }
+
   const signedContent = `${id}.${timestamp}.${body}`;
 
   const computedSignature = await createHMACSHA256(
-    signingSecret.split("_").pop(),
-    signedContent
+    secret.split("_").pop(),
+    signedContent,
+    crypto
   );
 
   const expectedSignatures = signature
@@ -94,8 +120,9 @@ async function validateWebhook(requestData, secret) {
 /**
  * @param {string} secret - base64 encoded string
  * @param {string} data - text body of request
+ * @param {Crypto} crypto - an implementation of the web Crypto api
  */
-async function createHMACSHA256(secret, data) {
+async function createHMACSHA256(secret, data, crypto) {
   const encoder = new TextEncoder();
   const key = await crypto.subtle.importKey(
     "raw",