forked from haskell-github/github
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathValidate.hs
More file actions
37 lines (33 loc) · 1.21 KB
/
Validate.hs
File metadata and controls
37 lines (33 loc) · 1.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
-----------------------------------------------------------------------------
-- |
-- License : BSD-3-Clause
-- Maintainer : Oleg Grenrus <oleg.grenrus@iki.fi>
--
-- Verification of incomming webhook payloads, as described at
-- <https://developer.github.com/webhooks/securing/>
module GitHub.Data.Webhooks.Validate (
isValidPayload
) where
import GitHub.Internal.Prelude
import Prelude ()
import Crypto.Hash.SHA1 (hmac)
import Data.ByteString (ByteString)
import qualified Data.ByteString.Base16 as Hex
import qualified Data.Text.Encoding as TE
-- | Validates a given payload against a given HMAC hexdigest using a given
-- secret.
-- Returns 'True' iff the given hash is non-empty and it's a valid signature of
-- the payload.
isValidPayload
:: Text -- ^ the secret
-> Maybe Text -- ^ the hash provided by the remote party
-- in @X-Hub-Signature@ (if any),
-- including the 'sha1=...' prefix
-> ByteString -- ^ the body
-> Bool
isValidPayload secret shaOpt payload = maybe False (sign ==) shaOptBS
where
shaOptBS = TE.encodeUtf8 <$> shaOpt
hexDigest = Hex.encode
hm = hmac (TE.encodeUtf8 secret) payload
sign = "sha1=" <> hexDigest hm