Validating webhook payloads from GitHub

I’m trying to validate github webhooks with a secret. The example documentation is in Ruby and I’m trying to figure out the corresponding Elixir. So far I have not been successful, but I’m not sure if it’s the decoding bit that’s wrong or if I’m using the wrong thing for the body.

My attempt:

  def create(conn, params) do
    [event_id] = get_req_header(conn, "x-github-delivery")
    [event_name] = get_req_header(conn, "x-github-event")

    verify_signature(conn)

    json(conn, %{success: true, message: "event received"})
  end

  def verify_signature(conn) do
    secret = "super secret"
    [signature] = get_req_header(conn, "x-hub-signature")

    body = inspect(Plug.Conn.read_body(conn))
    # {:ok, body, _conn} = Plug.Conn.read_body(conn)

    expected_signature =
      :crypto.hmac(:sha, secret, body)
      |> Base.encode16
      |> String.downcase()
      |> fn sig -> "sha1=" <> sig end.()

      unless Plug.Crypto.secure_compare(expected_signature, signature), do: raise "signature didn't match"
  end

Ruby:

post '/payload' do
  request.body.rewind
  payload_body = request.body.read
  verify_signature(payload_body)
  push = JSON.parse(params[:payload])
  "I got some JSON: #{push.inspect}"
end

def verify_signature(payload_body)
  signature = 'sha1=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), ENV['SECRET_TOKEN'], payload_body)
  return halt 500, "Signatures didn't match!" unless Rack::Utils.secure_compare(signature, request.env['HTTP_X_HUB_SIGNATURE'])
end

Might want to have a look at https://hex.pm/packages/gh_webhook_plug and https://github.com/emilsoman/gh_webhook_plug/blob/master/lib/gh_webhook_plug.ex
in particular.

Also note that you need to call this plug before Plug.Parsers is called.

Ooooooh, that totally makes sense. I realized I must be getting to the body too late because it was already an elixir map, but didn’t really put two and two together. I’ll give that a shot tomorrow, thank you!