I’m trying to build an application that will listen for GitHub webhooks with Phoenix. As part of this, I’m looking to verify a HMAC digest that GitHub sends. I found plug_hmouse which is a large step towards what I need, but I’m having issues with it.
In the README it says that I need to replace Plug.Parsers with plug_hmouse, but I don’t think I’m doing that correctly, in part because I didn’t explicitly use Plug.Parsers before now. Currently in my router.ex I have the following:
webhook_secret = Application.fetch_env!(:spellcanary, SpellcanaryWeb.Router)[:webhook_secret]
pipeline :api do
plug PlugHMouse,
validate: {"x-hub-signature", webhook_secret},
hash_algo: :sha
plug :accepts, ["json"]
end
...
scope "/api", SpellcanaryWeb do
pipe_through :api
post "/", GitHubWebhookController, :webhook
end
However, the module always tells me that I have an incorrect HMAC, and from debugging it looks like something has already parsed the request body before plug_hmouse can get to it. I say this because in the Plug.conn object body_params is set to a map and calling read_body inside plug_hmouse returns nothing.
I’m assuming that this means Plug.Parsers has been called at some point before plug_hmouse since the content coming in is JSON, but I don’t see where it could be called. Does anyone know how to disable it?
