Has anyone written a ring middleware to validate github webhook calls as described on https://developer.github.com/webhooks/securing/ ?

@malabarba: I found your question regarding the hmac computation in Clojure on SO. Could you please tell me how you hooked it into your webapp? I currently have ring.middleware.defaults/wrap-defaults and ring.middleware.json/wrap-json-body on my handler. I guess that makes hmac computation fail as I need the original body.

@ska my memory fails me 🙂 Could you link to the question?

http://stackoverflow.com/questions/31729163/clojure-or-java-equivalent-to-rubys-hmac-hexdigest

Ah

I think you just need to do your hmac computation outside other middlewares

before the body is parsed

that's what I did

I think, I am already getting close to it. Would you like to join a tiny project on github to provide that middleware?

Here's the function I wrote:

`

`

Gah

I always mess up slack's code-blocks

🙂

(defn wrap-hub-signature
  "Middleware that checks if a page asked for authentication."
  [handler]
  (fn [{:keys [headers request-method], :as request}]
    (if (and (= request-method :post)
             (headers "x-hub-signature"))
      (let [body (slurp (:body request))]
        (or (when (= (hmac body) (headers "x-hub-signature"))
              (when-let [json-body (try (json/parse-string body true)
                                        (catch JsonParseException e nil))]
                (handler (assoc request :hub-signature-verified true
                                :body json-body
                                :params json-body))))
            {:status  400
             :headers {"Content-Type" "text/plain"}
             :body    "Malformed JSON in request body."}))
      (handler request))))

Note that I (slurp (:body request)) manually

obviously this only works if the body hasn't been slurped yet

Yeah, seen it. Crossing our fingers it will never OOm

If I'm not mistaken, I just borrowed the code used by the default ring middlware

I am writing my own because I need to cover the case that the webapp can have several secret tokens configured.

Though we're talking 1 year ago, and my memory has a half-life of 1 month

hehe

h

hm

that complicates things

several secret tokens for github signing?

How do you decide which to use?

I don't mind as long as anyone validates 🙂

I am preparing a gist at the moment...

Does that make sense? https://gist.github.com/ska2342/4567b02531ff611db6a1208ebd4316e6

Have you tested it?

I'm not sure if calling .getBytes multiple times on the body will work

Some streams can only be retrieved once

No, not tested a single run. That is 45 lines or written-only code so far 🙂 My testing setup is more complex. I need to deploy an uberjar to an EC2 instance and make sure that I get all information I need to test it. 😉

I do have some old recorded requests but only after wrap-json and stuff. Does not help a lot for this.

If I make my handler the first in the chain, reading the body is a problem: the :body element is a org.eclipse.jetty.server.HttpInputOverHTTP which does not have a .getBytes method.

In my case I just slurped the body, and called getBytes on the string

Might be safest to specify an Encoding for the string

but for me it Just Worked ™️

I think, I can make it work for my reduced use-case. Turning it into something generic and a library would be more work, though. I wonder how the JSON middleware gets away with just slurping the string.

maybe ring itself handles any length issues directly in the input stream

You could post an issue asking about that

Though I'd recomend to actually check their code first

I *think* I borrowed that slurp from the middleware, but I wouldn't bet my life on it. 🙂