This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2016-07-24
Channels
- # admin-announcements (2)
- # beginners (5)
- # boot (29)
- # cider (46)
- # cljsjs (1)
- # clojure (19)
- # clojure-quebec (1)
- # clojure-russia (73)
- # clojure-spec (30)
- # clojure-uk (23)
- # clojurescript (35)
- # datascript (12)
- # datomic (7)
- # emacs (26)
- # hoplon (168)
- # leiningen (7)
- # off-topic (2)
- # om (32)
- # perun (8)
- # protorepl (8)
- # ring (45)
- # specter (10)
- # test-check (2)
- # yada (6)
Has anyone written a ring middleware to validate github webhook calls as described on https://developer.github.com/webhooks/securing/ ?
@malabarba: I found your question regarding the hmac computation in Clojure on SO. Could you please tell me how you hooked it into your webapp? I currently have ring.middleware.defaults/wrap-defaults
and ring.middleware.json/wrap-json-body
on my handler. I guess that makes hmac computation fail as I need the original body.
http://stackoverflow.com/questions/31729163/clojure-or-java-equivalent-to-rubys-hmac-hexdigest
I think, I am already getting close to it. Would you like to join a tiny project on github to provide that middleware?
(defn wrap-hub-signature
"Middleware that checks if a page asked for authentication."
[handler]
(fn [{:keys [headers request-method], :as request}]
(if (and (= request-method :post)
(headers "x-hub-signature"))
(let [body (slurp (:body request))]
(or (when (= (hmac body) (headers "x-hub-signature"))
(when-let [json-body (try (json/parse-string body true)
(catch JsonParseException e nil))]
(handler (assoc request :hub-signature-verified true
:body json-body
:params json-body))))
{:status 400
:headers {"Content-Type" "text/plain"}
:body "Malformed JSON in request body."}))
(handler request))))
I am writing my own because I need to cover the case that the webapp can have several secret tokens configured.
Does that make sense? https://gist.github.com/ska2342/4567b02531ff611db6a1208ebd4316e6
No, not tested a single run. That is 45 lines or written-only code so far 🙂 My testing setup is more complex. I need to deploy an uberjar to an EC2 instance and make sure that I get all information I need to test it. 😉
I do have some old recorded requests but only after wrap-json and stuff. Does not help a lot for this.
If I make my handler the first in the chain, reading the body is a problem: the :body
element is a org.eclipse.jetty.server.HttpInputOverHTTP
which does not have a .getBytes method.