Hey all, working on my first Elixir/Phoenix project, which includes a Discord bot.
Per the Discord documentation, applications must validate each request. In order to add an an interactions endpoint URL, the application must validate the request, and respond with the expected response.
In particular, Discord includes two headers:
X-Signature-Ed25519
X-Signature-Timestamp
The expectation, as I understand, is to concatenate the timestamp and the raw request body, hash them using my application’s public key, and compare the result with the signature included in Discord’s header.
I’ve created a plug for this purpose, and the code is below. I’m assuming the issue is with the way that I’m creating the hash to compare. When I do that, my hash result is much shorter than the signature included in the header.
Does anything stick out in the code below? Thanks!
defmodule MyApp.DiscordPlug do
@behaviour Plug
import Plug.Conn
require Logger
@impl true
def init(opts), do: opts
@impl true
def call(conn, _) do
with {:ok, signature} <- get_header(conn, "x-signature-ed25519"),
{:ok, timestamp} <- get_header(conn, "x-signature-timestamp"),
{:ok, raw_body} <- get_raw_body(conn),
{:ok, key} <- get_public_key(),
:ok <- valid_request?(signature, timestamp, raw_body, key) do
conn
else
{:error, message} ->
Logger.error("Discord request validation failed with reason: #{message}")
conn
|> send_resp(401, "invalid request signature")
|> halt()
end
end
defp valid_request?(expected_signature, timestamp, body, key) do
payload = "#{timestamp}#{body}"
Logger.info("Constructed payload: #{payload}")
Logger.info("Expected signature: #{expected_signature}")
Logger.info("Signing key: #{key}")
actual_signature =
:crypto.mac(:hmac, :sha256, key, payload)
|> Base.encode16(case: :lower)
|> IO.inspect(label: "Hash result")
case Plug.Crypto.secure_compare(actual_signature, expected_signature) do
true -> :ok
false -> {:error, "Signatures do not match"}
end
end
defp get_header(conn, key) do
case Plug.Conn.get_req_header(conn, key) do
[value] -> {:ok, value}
_ -> {:error, "No header for key #{key}"}
end
end
defp get_raw_body(conn) do
case conn.assigns[:raw_body] do
nil -> {:error, "No raw body present"}
[raw_body] -> {:ok, raw_body} |> IO.inspect(label: "raw body")
end
end
defp get_public_key() do
case Application.get_env(:chronicle, :discord_public_key) do
nil -> {:error, "No public key set"}
value -> {:ok, value}
end
end
end