# HG changeset patch # User Kim Alvefur # Date 1535125793 -7200 # Node ID f48bedd1d4337882346899f6f5a6f8d1223fd292 # Parent a65f4297264be66cbdb2a72f1dc260657cc3ef5c mod_pubsub_github: Add support for signed requests diff -r a65f4297264b -r f48bedd1d433 mod_pubsub_github/README.markdown --- a/mod_pubsub_github/README.markdown Fri Aug 24 17:46:47 2018 +0200 +++ b/mod_pubsub_github/README.markdown Fri Aug 24 17:49:53 2018 +0200 @@ -1,10 +1,9 @@ --- labels: 'Stage-Beta' summary: Publish Github commits over pubsub -... +--- -Introduction ------------- +## Introduction This module accepts Github web hooks and publishes them to a local pubsub component for XMPP clients to subscribe to. @@ -13,8 +12,7 @@ It may also work with Gitlab. -Configuration -------------- +## Configuration Load the module on a pubsub component: @@ -23,9 +21,10 @@ The module also takes the following config options: - Name Default Description - -------------- ---------- ---------------------------------------- - github\_node "github" The pubsub node to publish commits on. + Name Default Description + ---------------- ----------- ------------------------------------------- + github\_node "github" The pubsub node to publish commits on. + github\_secret *not set* Shared secret used to sign HTTP requests. The URL for Github to post to would be either: @@ -36,9 +35,9 @@ need to inform Prosody. For more info see Prosody's [HTTP server documentation](https://prosody.im/doc/http#virtual_hosts). -Compatibility -------------- +## Compatibility - ----- ------- - 0.9 Works - ----- ------- + ------ ------------- + 0.10 Should work + 0.9 Works + ------ ------------- diff -r a65f4297264b -r f48bedd1d433 mod_pubsub_github/mod_pubsub_github.lua --- a/mod_pubsub_github/mod_pubsub_github.lua Fri Aug 24 17:46:47 2018 +0200 +++ b/mod_pubsub_github/mod_pubsub_github.lua Fri Aug 24 17:49:53 2018 +0200 @@ -3,12 +3,17 @@ local st = require "util.stanza"; local json = require "util.json"; local formdecode = require "net.http".formdecode; +local hmac_sha1 = require "util.hashes".hmac_sha1; local pubsub_service = module:depends("pubsub").service; local node = module:get_option("github_node", "github"); +local secret = module:get_option("github_secret"); function handle_POST(event) local request = event.request; + if secret and ("sha1=" .. hmac_sha1(secret, request.body, true)) ~= request.headers.x_hub_signature then + return 401; + end local data = json.decode(request.body); if not data then return "Invalid JSON. From you of all people...";