Mercurial > prosody-modules
comparison mod_pubsub_github/mod_pubsub_github.lua @ 3520:37e89a76c7d7
mod_pubsub_github: Lift signature validation from mod_pubsub_post
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Sun, 31 Mar 2019 18:21:22 +0200 |
| parents | ac623080324a |
| children | a200fbce0ecb |
comparison
equal
deleted
inserted
replaced
| 3519:ac623080324a | 3520:37e89a76c7d7 |
|---|---|
| 1 module:depends("http"); | 1 module:depends("http"); |
| 2 | 2 |
| 3 local st = require "util.stanza"; | 3 local st = require "util.stanza"; |
| 4 local json = require "util.json"; | 4 local json = require "util.json"; |
| 5 local hmac_sha1 = require "util.hashes".hmac_sha1; | 5 local hashes = require "util.hashes"; |
| 6 local from_hex = require "util.hex".from; | |
| 7 local hmacs = { | |
| 8 sha1 = hashes.hmac_sha1; | |
| 9 sha256 = hashes.hmac_sha256; | |
| 10 sha384 = hashes.hmac_sha384; | |
| 11 sha512 = hashes.hmac_sha512; | |
| 12 }; | |
| 6 | 13 |
| 7 local pubsub_service = module:depends("pubsub").service; | 14 local pubsub_service = module:depends("pubsub").service; |
| 8 local default_node = module:get_option("github_node", "github"); | 15 local default_node = module:get_option("github_node", "github"); |
| 9 local node_prefix = module:get_option_string("github_node_prefix", "github/"); | 16 local node_prefix = module:get_option_string("github_node_prefix", "github/"); |
| 10 local node_mapping = module:get_option_string("github_node_mapping"); | 17 local node_mapping = module:get_option_string("github_node_mapping"); |
| 18 ["item-not-found"] = 404; | 25 ["item-not-found"] = 404; |
| 19 ["internal-server-error"] = 500; | 26 ["internal-server-error"] = 500; |
| 20 ["conflict"] = 409; | 27 ["conflict"] = 409; |
| 21 }; | 28 }; |
| 22 | 29 |
| 30 local function verify_signature(secret, body, signature) | |
| 31 if not signature then return false; end | |
| 32 local algo, digest = signature:match("^([^=]+)=(%x+)"); | |
| 33 if not algo then return false; end | |
| 34 local hmac = hmacs[algo]; | |
| 35 if not algo then return false; end | |
| 36 return hmac(secret, body) == from_hex(digest); | |
| 37 end | |
| 38 | |
| 23 function handle_POST(event) | 39 function handle_POST(event) |
| 24 local request, response = event.request, event.response; | 40 local request, response = event.request, event.response; |
| 25 if ("sha1=" .. hmac_sha1(secret, request.body, true)) ~= request.headers.x_hub_signature then | 41 |
| 42 if not verify_signature(secret, request.body, request.headers.x_hub_signature) then | |
| 43 module:log("debug", "Signature validation failed"); | |
| 26 return 401; | 44 return 401; |
| 27 end | 45 end |
| 28 local data = json.decode(request.body); | 46 local data = json.decode(request.body); |
| 29 if not data then | 47 if not data then |
| 30 response.status_code = 400; | 48 response.status_code = 400; |