fix: HMAC verification logic in webhook handler

wangeguo · wangeguo · commit 8e6a2231e4a8 · 2025-08-25T22:19:36.000+08:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -8,7 +8,7 @@ resolver = "2"
 [package]
 name = "backend"
 description = "Backend API and services for StackClass"
-version = "0.41.2"
+version = "0.41.3"
 edition = "2024"
 
 default-run = "stackclass-server"
diff --git a/openapi.json b/openapi.json
@@ -6,7 +6,7 @@
     "license": {
       "name": ""
     },
-    "version": "0.41.2"
+    "version": "0.41.3"
   },
   "paths": {
     "/v1/courses": {
diff --git a/src/handler/webhook.rs b/src/handler/webhook.rs
@@ -61,7 +61,7 @@ pub async fn handle_tekton_webhook(
     let auth_secret = &ctx.config.auth_secret;
     let payload = format!("{}{}{}", repo, course, stage);
 
-    if crypto::hmac_sha256_verify(&payload, auth_secret, secret)? {
+    if !crypto::hmac_sha256_verify(&payload, auth_secret, secret)? {
         error!("Received pipeline event with invalid signature");
         return Err(ApiError::Unauthorized("Invalid signature".into()));
     }

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ pub async fn handle_tekton_webhook(`
`61`	`61`	`let auth_secret = &ctx.config.auth_secret;`
`62`	`62`	`let payload = format!("{}{}{}", repo, course, stage);`
`63`	`63`
`64`		`- if crypto::hmac_sha256_verify(&payload, auth_secret, secret)? {`
	`64`	`+ if !crypto::hmac_sha256_verify(&payload, auth_secret, secret)? {`
`65`	`65`	`error!("Received pipeline event with invalid signature");`
`66`	`66`	`return Err(ApiError::Unauthorized("Invalid signature".into()));`
`67`	`67`	`}`