# HG changeset patch
# User Kim Alvefur <zash@zash.se>
# Date 1554049282 -7200
# Node ID 37e89a76c7d757d2d0eed0729a7b4fdb5b4e5d9b
# Parent  ac623080324ab70e93c6cbd8c09b03ca69e412ad
mod_pubsub_github: Lift signature validation from mod_pubsub_post

diff -r ac623080324a -r 37e89a76c7d7 mod_pubsub_github/mod_pubsub_github.lua
--- a/mod_pubsub_github/mod_pubsub_github.lua	Sun Mar 31 18:16:49 2019 +0200
+++ b/mod_pubsub_github/mod_pubsub_github.lua	Sun Mar 31 18:21:22 2019 +0200
@@ -2,7 +2,14 @@
 
 local st = require "util.stanza";
 local json = require "util.json";
-local hmac_sha1 = require "util.hashes".hmac_sha1;
+local hashes = require "util.hashes";
+local from_hex = require "util.hex".from;
+local hmacs = {
+	sha1 = hashes.hmac_sha1;
+	sha256 = hashes.hmac_sha256;
+	sha384 = hashes.hmac_sha384;
+	sha512 = hashes.hmac_sha512;
+};
 
 local pubsub_service = module:depends("pubsub").service;
 local default_node = module:get_option("github_node", "github");
@@ -20,9 +27,20 @@
 	["conflict"] = 409;
 };
 
+local function verify_signature(secret, body, signature)
+	if not signature then return false; end
+	local algo, digest = signature:match("^([^=]+)=(%x+)");
+	if not algo then return false; end
+	local hmac = hmacs[algo];
+	if not algo then return false; end
+	return hmac(secret, body) == from_hex(digest);
+end
+
 function handle_POST(event)
 	local request, response = event.request, event.response;
-	if ("sha1=" .. hmac_sha1(secret, request.body, true)) ~= request.headers.x_hub_signature then
+
+	if not verify_signature(secret, request.body, request.headers.x_hub_signature) then
+		module:log("debug", "Signature validation failed");
 		return 401;
 	end
 	local data = json.decode(request.body);