Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include a VerifySignature() method #9

Open
daamsie opened this issue Apr 7, 2022 · 5 comments
Open

Include a VerifySignature() method #9

daamsie opened this issue Apr 7, 2022 · 5 comments

Comments

@daamsie
Copy link

daamsie commented Apr 7, 2022

When listening for Mailgun webhooks, it's important to verify the signature. It would be nice to have this available in this component.

See here a c# implementation

Happy to create a PR if you want to include it.

I'd add an extra parameter to the init function - webhookSigningKey

Then create a new method verifySignature() that handles the verification, throwing an error if the webhookSigningKey is not set.
@mjclemente
Copy link
Owner

Might make sense to add - is there a section in their docs covering this?

@daamsie
Copy link
Author

daamsie commented Apr 8, 2022

Yeah, it's in the Webhooks section of the docs. My implementation below:

Changing init to add webhookSigningKey

public any function init( required string secretApiKey, required string publicApiKey, string domain = "", string baseUrl = "https://api.mailgun.net/v3", boolean forceTestMode = false, numeric httpTimeout = 60, boolean includeRaw = true, string webhookSigningKey = "" ) {

    structAppend( variables, arguments );
    return this;
  }

Added a verifySignature function

public boolean function verifySignature( required any timestamp, required string token, required string signature ) {
  if ( variables.webhookSigningKey eq "" ) {
    throw("Mailgun needs to be initialised with your Webhook Signing Key");
  }

  var timestampAndToken = timestamp & token;
  var computedSignature = hmac(timestampAndToken, variables.webhookSigningKey, "HMACSHA256", "us-ascii")

  return computedSignature eq signature;
}

Feel free to use / adjust or I can post a PR.

@mjclemente
Copy link
Owner

Looks good to me. PR welcome!

Can you be sure to include the documentation for it in the README as well?

@daamsie daamsie mentioned this issue Apr 13, 2022
Merged
@daamsie
Copy link
Author

daamsie commented Apr 13, 2022

Done. I did update the README with info but was a little unsure on how to explain the optional nature of the extra argument in init. I left it out of the Coldbox explanation in the interest of brevity. But maybe it makes more sense to include all the arguments in that example for both of them.

Also, though I did add the code to ModuleConfig and it is simple enough that I'm confident it's accurate - I didn't test this part because I'm not a Coldbox user.

@mjclemente
Copy link
Owner

Resolved with your PR #11

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@daamsie @mjclemente