Getting raw POST data for whatever mimetype #601

Closed
tito opened this Issue Sep 28, 2012 · 2 comments

Projects

None yet

2 participants

tito commented Sep 28, 2012

Ok, this issue have been raised twice, but i got an use-case that i don't know how to handle without the raw POST data.

If you use PubSubHubbub api, you can can give a secret, and any data that you will receive will be signed:

  • When you subscribe to a new hub, you can give a "secret"
  • When you get a POST request, you get a X-Hub-Signature in the format "sha1:xxxx"
  • The signature is based on the secret you give at the subscription + the raw request data
  • The request data are POSTed, and accessible with request.form

To verify the signature, i think it should be something like:

from hashlib import sha1
import hmac
signature = 'sha1:' + hmac.new(my_secret, request.data, sha1).hex_digest()

I've tried to use json.dumps(request.form) to get the initial raw data, but it doesn't work, maybe cause of a space or a line break.

(The real use case here is using the PubSubHubbub hook from Github, to get a CIA.vc like service)

tito commented Sep 28, 2012

Here is an example of request received from github, with the secret 'aoserchsr989898h': http://requestb.in/153mbk31

Owner

The correct solution here is to wrap the stream and to do the sha1 as you go. I will add an example to the docs.

@mitsuhiko mitsuhiko closed this in b5bb49d Oct 7, 2012
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment