I’m trying to validate github webhooks with a secret. The example documentation is in Ruby and I’m trying to figure out the corresponding Elixir. So far I have not been successful, but I’m not sure if it’s the decoding bit that’s wrong or if I’m using the wrong thing for the body.
My attempt:
def create(conn, params) do
[event_id] = get_req_header(conn, "x-github-delivery")
[event_name] = get_req_header(conn, "x-github-event")
verify_signature(conn)
json(conn, %{success: true, message: "event received"})
end
def verify_signature(conn) do
secret = "super secret"
[signature] = get_req_header(conn, "x-hub-signature")
body = inspect(Plug.Conn.read_body(conn))
# {:ok, body, _conn} = Plug.Conn.read_body(conn)
expected_signature =
:crypto.hmac(:sha, secret, body)
|> Base.encode16
|> String.downcase()
|> fn sig -> "sha1=" <> sig end.()
unless Plug.Crypto.secure_compare(expected_signature, signature), do: raise "signature didn't match"
end
Ruby:
post '/payload' do
request.body.rewind
payload_body = request.body.read
verify_signature(payload_body)
push = JSON.parse(params[:payload])
"I got some JSON: #{push.inspect}"
end
def verify_signature(payload_body)
signature = 'sha1=' + OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha1'), ENV['SECRET_TOKEN'], payload_body)
return halt 500, "Signatures didn't match!" unless Rack::Utils.secure_compare(signature, request.env['HTTP_X_HUB_SIGNATURE'])
end