Skip to content

Commit

Permalink
Fix passing callback requests without secret key
Browse files Browse the repository at this point in the history
  • Loading branch information
gaiaz-iusipov committed Jan 8, 2022
1 parent 4343582 commit 4917458
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 6 deletions.
14 changes: 8 additions & 6 deletions callback/callback.go
Original file line number Diff line number Diff line change
Expand Up @@ -58,13 +58,15 @@ func (cb *Callback) HandleFunc(w http.ResponseWriter, r *http.Request) {
return
}

if cb.SecretKeys[e.GroupID] != "" || cb.SecretKey != "" {
if e.Secret != cb.SecretKeys[e.GroupID] && e.Secret != cb.SecretKey {
cb.logf("callback: bad secret %d", e.GroupID)
http.Error(w, "Bad Secret", http.StatusForbidden)
secretKey, ok := cb.SecretKeys[e.GroupID]
if !ok {
secretKey = cb.SecretKey
}
if secretKey != "" && e.Secret != secretKey {
cb.logf("callback: bad secret %d", e.GroupID)
http.Error(w, "Bad Secret", http.StatusForbidden)

return
}
return
}

if e.Type == events.EventConfirmation {
Expand Down
9 changes: 9 additions & 0 deletions callback/callback_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,15 @@ func TestCallback_HandleFunc(t *testing.T) {
body: `{"type": "confirmation", "group_id": 123456, "secret": "secret_123456"}`,
expected: "confirmation_123456",
},
{
name: "check SecretKey missing",
fields: fields{
ConfirmationKey: "confirmation_123456",
SecretKey: "secret_654321",
},
body: `{"type": "confirmation", "group_id": 123456}`,
expected: "Bad Secret\n",
},
{
name: "check SecretKey bad",
fields: fields{
Expand Down

0 comments on commit 4917458

Please sign in to comment.