Mercurial > prosody-modules
diff mod_pubsub_github/mod_pubsub_github.lua @ 3520:37e89a76c7d7
mod_pubsub_github: Lift signature validation from mod_pubsub_post
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Sun, 31 Mar 2019 18:21:22 +0200 |
parents | ac623080324a |
children | a200fbce0ecb |
line wrap: on
line diff
--- a/mod_pubsub_github/mod_pubsub_github.lua Sun Mar 31 18:16:49 2019 +0200 +++ b/mod_pubsub_github/mod_pubsub_github.lua Sun Mar 31 18:21:22 2019 +0200 @@ -2,7 +2,14 @@ local st = require "util.stanza"; local json = require "util.json"; -local hmac_sha1 = require "util.hashes".hmac_sha1; +local hashes = require "util.hashes"; +local from_hex = require "util.hex".from; +local hmacs = { + sha1 = hashes.hmac_sha1; + sha256 = hashes.hmac_sha256; + sha384 = hashes.hmac_sha384; + sha512 = hashes.hmac_sha512; +}; local pubsub_service = module:depends("pubsub").service; local default_node = module:get_option("github_node", "github"); @@ -20,9 +27,20 @@ ["conflict"] = 409; }; +local function verify_signature(secret, body, signature) + if not signature then return false; end + local algo, digest = signature:match("^([^=]+)=(%x+)"); + if not algo then return false; end + local hmac = hmacs[algo]; + if not algo then return false; end + return hmac(secret, body) == from_hex(digest); +end + function handle_POST(event) local request, response = event.request, event.response; - if ("sha1=" .. hmac_sha1(secret, request.body, true)) ~= request.headers.x_hub_signature then + + if not verify_signature(secret, request.body, request.headers.x_hub_signature) then + module:log("debug", "Signature validation failed"); return 401; end local data = json.decode(request.body);