improve and secure deploy process

This will avoid DDoS on /update route adding proper github webhooks validation, better deploy solutions were suggested in #40 but this will suffice from now
coljs · Feb 14, 2015 · 03670fb · 03670fb · edsadr · Feb 14, 2015
1 parent 0d817bb
commit 03670fb
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 15 deletions.
diff --git a/config.template.json b/config.template.json
@@ -1,5 +1,8 @@
 {
-	"meetup": {
-		"apiKey": "xxxxxxxxx"
-	}
+  "meetup": {
+    "apiKey": "xxxxxxxxx"
+  },
+  "github": {
+    "secret": "xxxxxxxxxx"
+  }
 }
diff --git a/package.json b/package.json
@@ -13,7 +13,8 @@
   "dependencies": {
     "async": "^0.9.0",
     "express": "^4.7.2",
-    "harp": "^0.14.0",
+    "github-webhook-middleware": "0.0.2",
+    "harp": "^0.15.2",
     "moment": "^2.5.1",
     "morgan": "^1.2.2",
     "request": "^2.39.0"

diff --git a/server.js b/server.js
@@ -1,11 +1,18 @@
+'use strict';
+
 var express = require('express'),
-    harp    = require('harp'),
-    path    = require('path'),
-    fs      = require('fs'),
+    webhook = require('github-webhook-middleware'),
     exec    = require('child_process').exec,
+    config  = require('./config'),
     events  = require('./events'),
     router  = require('./router'),
-    app     = express();
+    app     = express(),
+    port    = process.env.PORT || 8080;
+
+// Setup Github Webhooks
+var validateWebhook = webhook({
+  secret: config.github.secret
+});
 
 // Static Server
 app.use(express.static(__dirname + '/public'));
@@ -16,23 +23,32 @@ app.use(router);
 // Fetch Events
 app.get('/events.json', function (req, res) {
   events(function (err, data) {
-    if (err) {
+    if (err)
       return res.status(500).send(err.message);
-    }
 
     res.send(data);
   });
 });
 
 // Update site
-app.post('/update', function (req, res) {
+app.post('/update', validateWebhook, function (req, res) {
+  if (req.headers['x-github-event'] !== 'push')
+      return res.status(200).json({ status: 'nothing to do' });
+
   exec('git pull && grunt build', function (err, stdout, stderr) {
-    if (err) return;
+    if (err) return res.status(500).send(err.message);
 
+    // Log git and grunt output
     console.log(stdout);
-    throw new Error('Restart action required');
+    console.error(stderr);
+
+    res.status(200).json({ status: 'ok' });
+
+    // Restart node process after update
+    process.exit(0);
   });
 });
 
-app.listen(8080);
-console.log("MedellinJS started");
+app.listen(port, function () {
+  console.log('MedellinJS listening on http://localhost:%s', port);
+});