Mercurial > prosody-modules

changeset 3264:f48bedd1d433

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_pubsub_github: Add support for signed requests
author Kim Alvefur <zash@zash.se>
date Fri, 24 Aug 2018 17:49:53 +0200
parents a65f4297264b
children d4207ab8ccc1
files mod_pubsub_github/README.markdown mod_pubsub_github/mod_pubsub_github.lua
diffstat 2 files changed, 17 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/mod_pubsub_github/README.markdown	Fri Aug 24 17:46:47 2018 +0200
+++ b/mod_pubsub_github/README.markdown	Fri Aug 24 17:49:53 2018 +0200
@@ -1,10 +1,9 @@
 ---
 labels: 'Stage-Beta'
 summary: Publish Github commits over pubsub
-...
+---
 
-Introduction
-------------
+## Introduction
 
 This module accepts Github web hooks and publishes them to a local
 pubsub component for XMPP clients to subscribe to.
@@ -13,8 +12,7 @@
 
 It may also work with Gitlab.
 
-Configuration
--------------
+## Configuration
 
 Load the module on a pubsub component:
 
@@ -23,9 +21,10 @@
 
 The module also takes the following config options:
 
-  Name           Default    Description
-  -------------- ---------- ----------------------------------------
-  github\_node   "github"   The pubsub node to publish commits on.
+  Name             Default     Description
+  ---------------- ----------- -------------------------------------------
+  github\_node     "github"    The pubsub node to publish commits on.
+  github\_secret   *not set*   Shared secret used to sign HTTP requests.
 
 The URL for Github to post to would be either:
 
@@ -36,9 +35,9 @@
 need to inform Prosody. For more info see Prosody's [HTTP server
 documentation](https://prosody.im/doc/http#virtual_hosts).
 
-Compatibility
--------------
+## Compatibility
 
-  ----- -------
-  0.9   Works
-  ----- -------
+  ------ -------------
+  0.10   Should work
+  0.9    Works
+  ------ -------------
--- a/mod_pubsub_github/mod_pubsub_github.lua	Fri Aug 24 17:46:47 2018 +0200
+++ b/mod_pubsub_github/mod_pubsub_github.lua	Fri Aug 24 17:49:53 2018 +0200
@@ -3,12 +3,17 @@
 local st = require "util.stanza";
 local json = require "util.json";
 local formdecode = require "net.http".formdecode;
+local hmac_sha1 = require "util.hashes".hmac_sha1;
 
 local pubsub_service = module:depends("pubsub").service;
 local node = module:get_option("github_node", "github");
+local secret = module:get_option("github_secret");
 
 function handle_POST(event)
 	local request = event.request;
+	if secret and ("sha1=" .. hmac_sha1(secret, request.body, true)) ~= request.headers.x_hub_signature then
+		return 401;
+	end
 	local data = json.decode(request.body);
 	if not data then
 		return "Invalid JSON. From you of all people...";