Merge pull request #32 from packagist/t/webhook-validation

naderman · web-flow · commit 11a87553c2aa · 2020-05-12T13:19:17.000+02:00
Webhook: add service to validate incoming payload
diff --git a/README.md b/README.md
@@ -571,6 +571,18 @@ Returns the new Magento legacy key.
 $client->customers()->magentoLegacyKeys()->remove($customerId, $publicKey);
 ```
 
+### Validate incoming webhook payloads
+
+When you create or update a webhook in Private Packagist an optional secret can be set. This secret gets used to create a signature which is sent with each request in the headers as `Packagist-Signature`. The secret and signature can then be used on your server to validate that the request was made by Private Packagist. If no secret is set then no signature is sent.
+
+```php
+$request = /** any Psr7 request */;
+$secret = 'webhook-secret';
+$webhookSignature = new \PrivatePackagist\ApiClient\WebhookSignature($secret);
+$requestSignature = $request->hasHeader('Packagist-Signature') ? $request->getHeader('Packagist-Signature')[0] : null; 
+$webhookSignature->validate($requestSignature, (string) $request->getBody());
+```
+
 ## License
 
 `private-packagist/api-client` is licensed under the MIT License
diff --git a/src/WebhookSignature.php b/src/WebhookSignature.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace PrivatePackagist\ApiClient;
+
+class WebhookSignature
+{
+    /** @var string */
+    private $secret;
+
+    public function __construct($secret)
+    {
+        $this->secret = $secret;
+    }
+
+    /**
+     * @param string $signature
+     * @param string $payload
+     * @return bool
+     */
+    public function validate($signature, $payload)
+    {
+        $payloadSignature = 'sha1='.hash_hmac('sha1', $payload, $this->secret);
+
+        return hash_equals($payloadSignature, (string) $signature);
+    }
+}
diff --git a/tests/WebhookSignatureTest.php b/tests/WebhookSignatureTest.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace PrivatePackagist\ApiClient;
+
+use PHPUnit\Framework\TestCase;
+
+class WebhookSignatureTest extends TestCase
+{
+    /** @var WebhookSignature */
+    private $webhookSignature;
+
+    protected function setUp()
+    {
+        $this->webhookSignature = new WebhookSignature('test');
+    }
+
+    public function testValidate()
+    {
+        $this->assertTrue($this->webhookSignature->validate('sha1=b92a2ae52a340f2246a0ec24d45bb4ecfdf7b8ac', 'payload'));
+    }
+
+    public function testValidateInvalid()
+    {
+        $this->assertFalse($this->webhookSignature->validate('sha1=invalid', 'payload'));
+    }
+
+    public function testValidateNull()
+    {
+        $this->assertFalse($this->webhookSignature->validate('sha1=invalid', null));
+    }
+}
