marcdel

marcdel

Validating webhook payloads from GitHub

I’m trying to validate github webhooks with a secret. The example documentation is in Ruby and I’m trying to figure out the corresponding Elixir. So far I have not been successful, but I’m not sure if it’s the decoding bit that’s wrong or if I’m using the wrong thing for the body.

My attempt:

  def create(conn, params) do
    [event_id] = get_req_header(conn, "x-github-delivery")
    [event_name] = get_req_header(conn, "x-github-event")

    verify_signature(conn)

    json(conn, %{success: true, message: "event received"})
  end

  def verify_signature(conn) do
    secret = "super secret"
    [signature] = get_req_header(conn, "x-hub-signature")

    body = inspect(Plug.Conn.read_body(conn))
    # {:ok, body, _conn} = Plug.Conn.read_body(conn)

    expected_signature =
      :crypto.hmac(:sha, secret, body)
      |> Base.encode16
      |> String.downcase()
      |> fn sig -> "sha1=" <> sig end.()

      unless Plug.Crypto.secure_compare(expected_signature, signature), do: raise "signature didn't match"
  end

Ruby:

post '/payload' do
  request.body.rewind
  payload_body = request.body.read
  verify_signature(payload_body)
  push = JSON.parse(params[:payload])
  "I got some JSON: #{push.inspect}"
end

def verify_signature(payload_body)
  signature = 'sha1=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), ENV['SECRET_TOKEN'], payload_body)
  return halt 500, "Signatures didn't match!" unless Rack::Utils.secure_compare(signature, request.env['HTTP_X_HUB_SIGNATURE'])
end

Marked As Solved

maartenvanvliet

maartenvanvliet

Might want to have a look at gh_webhook_plug | Hex and gh_webhook_plug/lib/gh_webhook_plug.ex at master · emilsoman/gh_webhook_plug · GitHub
in particular.

Also note that you need to call this plug before Plug.Parsers is called.

Also Liked

marcdel

marcdel

Ooooooh, that totally makes sense. I realized I must be getting to the body too late because it was already an elixir map, but didn’t really put two and two together. I’ll give that a shot tomorrow, thank you!

Where Next?

Popular in Questions Top

qwerescape
Is there a way to get the call stack or stack trace at any point in the code? Not from exceptions, but an expression that returns how the...
New
albydarned
Hello all! I am typing this post from my new MacBook Pro with the M1 chip. I’m loving it so far, and will probably use it as my daily dr...
New
Lily
In templates/appointment/index.html.eex: &lt;%= for appointment &lt;- @appointments do %&gt; &lt;tr&gt; &lt;td&gt;&lt;%= appoi...
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
vrod
I am using the Starship cross-shell prompt – it seems pretty nice, but I get some errors: [WARN] - (starship::utils): Executing command ...
New
aalberti333
As the title describes, I’m trying to run Enum.map() over a list of key/value pairs, where the value is a map. My data looks like this: ...
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
svb
Hi! Currently I want to submit a form by pressing the Enter key. However, since my input field is of type “textarea” this is just adds a...
New

Other popular topics Top

sen
Hi All, I set a environment variables in dev.exs , like below code. when i start server, how can i set the ${enable} value? thanks. d...
New
vertexbuffer
Hello, can anybody help here..? I have a list of players and I what to delete an element, but every for loop the list is reverting to ori...
New
9mm
I am constructing a JSON object (map) and I need to conditionally set a field. I’m trying to write proper elixir-way code… and I’m at a l...
New
Nvim
Anybody knows a comprehensive comparison of Django and Phoenix, thanks for the help. Where are they similar? Where do they differ the m...
New
stefanluptak
Hello everybody, usually, I use a 29" ultra-wide monitor for VSCode which can easily accomodate explorer (files panel) + file with code ...
New
AstonJ
Please see the new poll here: Which code editor or IDE do you use? (Poll) (2022 Edition) It’s been a while since we first asked this, I...
208 31142 143
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
jason.o
In the code below, if the create action is not set to accept “extra_key” as an input, it errors out with a message shown above. Is there ...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
vonH
In asking this question I am more interested about the expressiveness of the language itself and less concerned about the availability of...
New

We're in Beta

About us Mission Statement