Something calling read_body before intended plug

I’m trying to build an application that will listen for GitHub webhooks with Phoenix. As part of this, I’m looking to verify a HMAC digest that GitHub sends. I found plug_hmouse which is a large step towards what I need, but I’m having issues with it.

In the README it says that I need to replace Plug.Parsers with plug_hmouse, but I don’t think I’m doing that correctly, in part because I didn’t explicitly use Plug.Parsers before now. Currently in my router.ex I have the following:

  webhook_secret = Application.fetch_env!(:spellcanary, SpellcanaryWeb.Router)[:webhook_secret]

  pipeline :api do
    plug PlugHMouse,
      validate: {"x-hub-signature", webhook_secret},
      hash_algo: :sha
    plug :accepts, ["json"]


  scope "/api", SpellcanaryWeb do
    pipe_through :api

    post "/", GitHubWebhookController, :webhook

However, the module always tells me that I have an incorrect HMAC, and from debugging it looks like something has already parsed the request body before plug_hmouse can get to it. I say this because in the Plug.conn object body_params is set to a map and calling read_body inside plug_hmouse returns nothing.

I’m assuming that this means Plug.Parsers has been called at some point before plug_hmouse since the content coming in is JSON, but I don’t see where it could be called. Does anyone know how to disable it?

Plug.Parsers is part of the default endpoint.ex that Phoenix generates.

FWIW, another approach to this is to capture the raw body and stash it in conn.assigns - see this PR comment.

1 Like

That’s exactly what I was looking for, thanks for the quick reply!