Browse Source

Update Gogs webhook for the lifestream

New versions of Gogs changed the way the 'secret' is sent to the
endpoint.

It's now a SHA256 HMAC hex digest of the payload via `X-Gogs-Signature`
header
master
Chimo 2 years ago
parent
commit
33340a5959
1 changed files with 14 additions and 2 deletions
  1. 14
    2
      php/webhook.php

+ 14
- 2
php/webhook.php View File

@@ -1,5 +1,9 @@
1 1
 <?php
2 2
 
3
+/**
4
+ * code.chromic.org webhook
5
+ */
6
+
3 7
 require_once('../../private/_config.php');
4 8
 
5 9
 $gogs = $config['gogs'];
@@ -13,8 +17,16 @@ try {
13 17
     exit;
14 18
 }
15 19
 
16
-// Invalid 'secret'
17
-if ($gogs['secret'] !== $json->secret) {
20
+// Missing signature
21
+if (!isset($_SERVER['HTTP_X_GOGS_SIGNATURE'])) {
22
+    header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request');
23
+    exit;
24
+}
25
+
26
+$hmac_signature = $_SERVER['HTTP_X_GOGS_SIGNATURE'];
27
+
28
+// Invalid signature
29
+if (hash_hmac('sha256', $data, $gogs['secret']) !== $hmac_signature) {
18 30
     header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request');
19 31
     exit;
20 32
 }

Loading…
Cancel
Save