fix: remove dependency on tweetnacl

Author: JustinBeckwith

README.md

@@ -21,7 +21,7 @@ Use `verifyKey` to check a request signature:
 ```js
  const signature = req.get('X-Signature-Ed25519');
  const timestamp = req.get('X-Signature-Timestamp');
- const isValidRequest = verifyKey(req.rawBody, signature, timestamp, 'MY_CLIENT_PUBLIC_KEY');
+ const isValidRequest = await verifyKey(req.rawBody, signature, timestamp, 'MY_CLIENT_PUBLIC_KEY');
  if (!isValidRequest) {
    return res.status(401).end('Bad request signature');
  }

package-lock.json

@@ -18,20 +18,19 @@
   "files": [
     "dist/**/*"
   ],
-  "prepare": "npm run build",
   "types": "dist/index.d.ts",
   "keywords": [
     "discord"
   ],
   "scripts": {
+    "prepare": "npm run build",
     "build": "tsc",
     "build:watch": "tsc --watch",
     "fix": "biome check --apply .",
     "lint": "biome check .",
     "test": "jest --verbose"
   },
   "dependencies": {
-    "tweetnacl": "^1.0.3"
   },
   "devDependencies": {
     "@biomejs/biome": "^1.7.3",

package.json

@@ -1,4 +1,4 @@
-import nacl from 'tweetnacl';
+import { arrayBufferToBase64 } from "../../util";
 
 // Example PING request body
 export const pingRequestBody = JSON.stringify({
@@ -51,10 +51,17 @@ export const autocompleteRequestBody = JSON.stringify({
 	},
 });
 
-// Generate a "valid" keypair
-export const validKeyPair = nacl.sign.keyPair();
-// Generate an "invalid" keypair
-export const invalidKeyPair = nacl.sign.keyPair();
+export async function generateKeyPair() {
+	const keyPair = await crypto.subtle.generateKey(
+		{
+			name: 'ed25519',
+			namedCurve: 'ed25519',
+		},
+		true,
+		['sign', 'verify'],
+	);
+	return keyPair;
+}
 
 export type SignedRequest = {
 	body: string;
@@ -66,22 +73,22 @@ export type ExampleRequestResponse = {
 	body: string;
 };
 
-export function signRequestWithKeyPair(
+export async function signRequestWithKeyPair(
 	body: string,
-	privateKey: Uint8Array,
-): SignedRequest {
+	privateKey: CryptoKey,
+) {
+	const encoder = new TextEncoder();
 	const timestamp = String(Math.round(new Date().getTime() / 1000));
-	const signature = Buffer.from(
-		nacl.sign.detached(
-			Uint8Array.from(
-				Buffer.concat([Buffer.from(timestamp), Buffer.from(body)]),
-			),
-			privateKey,
-		),
-	).toString('hex');
+	const signature = await crypto.subtle.sign(
+		{
+			name: 'ed25519',
+		},
+		privateKey,
+		encoder.encode(timestamp + body),
+	);
 	return {
 		body,
-		signature,
+		signature: arrayBufferToBase64(signature),
 		timestamp,
 	};
 }

src/__tests__/utils/SharedTestUtils.ts

@@ -1,137 +1,136 @@
 import { verifyKey } from '../index';
 import {
-	invalidKeyPair,
+	generateKeyPair,
 	pingRequestBody,
 	signRequestWithKeyPair,
-	validKeyPair,
 } from './utils/SharedTestUtils';
 
 describe('verify key method', () => {
-	it('valid ping request', () => {
+	let validKeyPair: CryptoKeyPair;
+	let invalidKeyPair: CryptoKeyPair;
+
+	beforeAll(async () => {
+		validKeyPair = await generateKeyPair();
+		invalidKeyPair = await generateKeyPair();
+	});
+
+	it('valid ping request', async () => {
 		// Sign and verify a valid ping request
-		const signedRequest = signRequestWithKeyPair(
+		const signedRequest = await signRequestWithKeyPair(
 			pingRequestBody,
-			validKeyPair.secretKey,
-		);
-		expect(
-			verifyKey(
-				signedRequest.body,
-				signedRequest.signature,
-				signedRequest.timestamp,
-				validKeyPair.publicKey,
-			),
-		).toBe(true);
+			validKeyPair.privateKey,
+		);
+		const isValid = await verifyKey(
+			signedRequest.body,
+			signedRequest.signature,
+			signedRequest.timestamp,
+			validKeyPair.publicKey,
+		);
+		expect(isValid).toBe(true);
 	});
 
-	it('valid application command', () => {
+	it('valid application command', async () => {
 		// Sign and verify a valid application command request
-		const signedRequest = signRequestWithKeyPair(
+		const signedRequest = await signRequestWithKeyPair(
 			pingRequestBody,
-			validKeyPair.secretKey,
-		);
-		expect(
-			verifyKey(
-				signedRequest.body,
-				signedRequest.signature,
-				signedRequest.timestamp,
-				validKeyPair.publicKey,
-			),
-		).toBe(true);
+			validKeyPair.privateKey,
+		);
+		const isValid = await verifyKey(
+			signedRequest.body,
+			signedRequest.signature,
+			signedRequest.timestamp,
+			validKeyPair.publicKey,
+		);
+		expect(isValid).toBe(true);
 	});
 
-	it('valid message component', () => {
+	it('valid message component', async () => {
 		// Sign and verify a valid message component request
-		const signedRequest = signRequestWithKeyPair(
+		const signedRequest = await signRequestWithKeyPair(
 			pingRequestBody,
-			validKeyPair.secretKey,
-		);
-		expect(
-			verifyKey(
-				signedRequest.body,
-				signedRequest.signature,
-				signedRequest.timestamp,
-				validKeyPair.publicKey,
-			),
-		).toBe(true);
+			validKeyPair.privateKey,
+		);
+		const isValid = await verifyKey(
+			signedRequest.body,
+			signedRequest.signature,
+			signedRequest.timestamp,
+			validKeyPair.publicKey,
+		);
+		expect(isValid).toBe(true);
 	});
 
-	it('valid autocomplete', () => {
+	it('valid autocomplete', async () => {
 		// Sign and verify a valid autocomplete request
-		const signedRequest = signRequestWithKeyPair(
+		const signedRequest = await signRequestWithKeyPair(
 			pingRequestBody,
-			validKeyPair.secretKey,
-		);
-		expect(
-			verifyKey(
-				signedRequest.body,
-				signedRequest.signature,
-				signedRequest.timestamp,
-				validKeyPair.publicKey,
-			),
-		).toBe(true);
+			validKeyPair.privateKey,
+		);
+		const isValid = await verifyKey(
+			signedRequest.body,
+			signedRequest.signature,
+			signedRequest.timestamp,
+			validKeyPair.publicKey,
+		);
+		expect(isValid).toBe(true);
 	});
 
-	it('invalid key', () => {
+	it('invalid key', async () => {
 		// Sign a request with a different private key and verify with the valid public key
-		const signedRequest = signRequestWithKeyPair(
+		const signedRequest = await signRequestWithKeyPair(
 			pingRequestBody,
-			invalidKeyPair.secretKey,
-		);
-		expect(
-			verifyKey(
-				signedRequest.body,
-				signedRequest.signature,
-				signedRequest.timestamp,
-				validKeyPair.publicKey,
-			),
-		).toBe(false);
+			invalidKeyPair.privateKey,
+		);
+		const isValid = await verifyKey(
+			signedRequest.body,
+			signedRequest.signature,
+			signedRequest.timestamp,
+			validKeyPair.publicKey,
+		);
+		expect(isValid).toBe(false);
 	});
 
-	it('invalid body', () => {
+	it('invalid body', async () => {
 		// Sign a valid request and verify with an invalid body
-		const signedRequest = signRequestWithKeyPair(
+		const signedRequest = await signRequestWithKeyPair(
 			pingRequestBody,
-			validKeyPair.secretKey,
-		);
-		expect(
-			verifyKey(
-				'example invalid body',
-				signedRequest.signature,
-				signedRequest.timestamp,
-				validKeyPair.publicKey,
-			),
-		).toBe(false);
+			validKeyPair.privateKey,
+		);
+		const isValid = await verifyKey(
+			'example invalid body',
+			signedRequest.signature,
+			signedRequest.timestamp,
+			validKeyPair.publicKey,
+		);
+		expect(isValid).toBe(false);
 	});
 
-	it('invalid signature', () => {
+	it('invalid signature', async () => {
 		// Sign a valid request and verify with an invalid signature
-		const signedRequest = signRequestWithKeyPair(
+		const signedRequest = await signRequestWithKeyPair(
 			pingRequestBody,
-			validKeyPair.secretKey,
-		);
-		expect(
-			verifyKey(
-				signedRequest.body,
-				'example invalid signature',
-				signedRequest.timestamp,
-				validKeyPair.publicKey,
-			),
-		).toBe(false);
+			validKeyPair.privateKey,
+		);
+		const isValid = await verifyKey(
+			signedRequest.body,
+			'example invalid signature',
+			signedRequest.timestamp,
+			validKeyPair.publicKey,
+		);
+		expect(isValid).toBe(false);
 	});
 
-	it('invalid timestamp', () => {
+	it('invalid timestamp', async () => {
 		// Sign a valid request and verify with an invalid timestamp
-		const signedRequest = signRequestWithKeyPair(
+		const signedRequest = await signRequestWithKeyPair(
 			pingRequestBody,
-			validKeyPair.secretKey,
-		);
-		expect(
-			verifyKey(
-				'example invalid body',
-				signedRequest.signature,
-				String(Math.round(new Date().getTime() / 1000) - 10000),
-				validKeyPair.publicKey,
-			),
-		).toBe(false);
+			validKeyPair.privateKey,
+		);
+		const isValid = await verifyKey(
+			'example invalid body',
+			signedRequest.signature,
+			String(Math.round(new Date().getTime() / 1000) - 10000),
+			validKeyPair.publicKey,
+		);
+		expect(isValid).toBe(false);
 	});
 });