From a338e1303b52ee7652c5bd3f3b16ff5297c11933 Mon Sep 17 00:00:00 2001
From: tim-kos <tim.koschuetzki@transloadit.com>
Date: Mon, 27 Apr 2026 10:11:05 +0200
Subject: [PATCH] Enforce sha384 signatures in SDK

---
 README.md                                      |  1 +
 src/Transloadit.js                             |  3 ++-
 test/unit/__tests__/test-transloadit-client.js | 10 ++++++++++
 3 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 89833660..a79d0116 100644
--- a/README.md
+++ b/README.md
@@ -386,6 +386,7 @@ Retrieves the billing data for a given `date` string with format `YYYY-MM`. See
 #### calcSignature(params)
 
 Calculates a signature for the given `params` JSON object. If the `params` object does not include an `authKey` or `expires` keys (and their values) in the `auth` sub-key, then they are set automatically.
+Signatures are generated using `sha384`.
 
 This function returns an object with the key `signature` (containing the calculated signature string) and a key `params`, which contains the stringified version of the passed `params` object (including the set expires and authKey keys).
 
diff --git a/src/Transloadit.js b/src/Transloadit.js
index a6ff0e0f..aeb983dd 100644
--- a/src/Transloadit.js
+++ b/src/Transloadit.js
@@ -569,7 +569,8 @@ class TransloaditClient {
     return { signature, params: jsonParams }
   }
 
-  _calcSignature(toSign, algorithm = 'sha384') {
+  _calcSignature(toSign) {
+    const algorithm = 'sha384'
     return `${algorithm}:${crypto
       .createHmac(algorithm, this._authSecret)
       .update(Buffer.from(toSign, 'utf-8'))
diff --git a/test/unit/__tests__/test-transloadit-client.js b/test/unit/__tests__/test-transloadit-client.js
index 1a943d08..8b686bf3 100644
--- a/test/unit/__tests__/test-transloadit-client.js
+++ b/test/unit/__tests__/test-transloadit-client.js
@@ -272,6 +272,16 @@ describe('Transloadit', () => {
         'sha384:fc75f6a4bbb06340653c0f7efff013e94eb8e402e0e45cf40ad4bc95f45a3ae3263032000727359c595a433364a84f96'
       return expect(client._calcSignature('akjdkadskjads')).toBe(expected)
     })
+
+    it('should always generate sha384 signatures', () => {
+      const client = new Transloadit({ authKey: 'foo_key', authSecret: 'foo_secret' })
+      client._authSecret = '13123123123'
+
+      const expected =
+        'sha384:8b90663d4b7d14ac7d647c74cb53c529198dee4689d0f8faae44f0df1c2a157acce5cb8c55a375218bc331897cf92e9d'
+
+      expect(client._calcSignature('foo', 'sha1')).toBe(expected)
+    })
   })
 
   describe('_remoteJson', () => {