From 773b0522ea1894c8af62a195f829c15478a49347 Mon Sep 17 00:00:00 2001 From: Alexander Leahy Date: Tue, 18 May 2021 21:51:31 +1000 Subject: [PATCH 1/2] Fixed some typos in tests --- tests/IntegrationTest.php | 2 +- tests/TestCase.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/IntegrationTest.php b/tests/IntegrationTest.php index a884477..f92cce3 100644 --- a/tests/IntegrationTest.php +++ b/tests/IntegrationTest.php @@ -159,7 +159,7 @@ public function a_request_with_a_config_key_will_use_the_correct_signing_secret( ], ]; - Arr::set($payload, 'signature', $this->determineMailgunSignature($payload)); + Arr::set($payload, 'signature', $this->determineMailgunSignature($payload, 'somekey')); $this ->postJson('mailgun-webhooks/somekey', $payload) diff --git a/tests/TestCase.php b/tests/TestCase.php index 624ccbe..a3fcec0 100644 --- a/tests/TestCase.php +++ b/tests/TestCase.php @@ -87,7 +87,7 @@ protected function determineMailgunSignature(array $payload, string $configKey = return [ 'timestamp' => $timestamp, 'token' => $token, - 'signature' => hash_hmac('sha256', "{$timestamp}.{$token}", $secret), + 'signature' => hash_hmac('sha256', "{$timestamp}{$token}", $secret), ]; } } From ec8c239dfbbda42e4f65ecc2fb8e7576408a2d32 Mon Sep 17 00:00:00 2001 From: Alexander Leahy Date: Tue, 18 May 2021 21:53:13 +1000 Subject: [PATCH 2/2] Fixed signature check --- src/Exceptions/WebhookFailed.php | 5 +++++ src/Webhook.php | 12 +++++++++--- tests/IntegrationTest.php | 28 ++++++++++++++++++++++++++++ 3 files changed, 42 insertions(+), 3 deletions(-) diff --git a/src/Exceptions/WebhookFailed.php b/src/Exceptions/WebhookFailed.php index 6b95858..b6034dc 100644 --- a/src/Exceptions/WebhookFailed.php +++ b/src/Exceptions/WebhookFailed.php @@ -7,6 +7,11 @@ class WebhookFailed extends Exception { + public static function invalidSignature(): self + { + return new static('The signature is invalid.'); + } + public static function signingSecretNotSet(): self { return new static('The webhook signing secret is not set. Make sure that the `signing_secret` config key is set to the correct value.'); diff --git a/src/Webhook.php b/src/Webhook.php index feed5bc..a1df910 100644 --- a/src/Webhook.php +++ b/src/Webhook.php @@ -2,20 +2,26 @@ namespace BinaryCats\MailgunWebhooks; +use BinaryCats\MailgunWebhooks\Exceptions\WebhookFailed; + class Webhook { /** * Validate and raise an appropriate event. * * @param $payload - * @param array $signature - * @param string $secret + * @param array $signature + * @param string $secret * @return BinaryCats\MailgunWebhooks\Event + * @throws WebhookFailed */ public static function constructEvent(array $payload, array $signature, string $secret): Event { // verify we are good, else throw an expection - WebhookSignature::make($signature, $secret)->verify(); + if (!WebhookSignature::make($signature, $secret)->verify()) { + throw WebhookFailed::invalidSignature(); + } + // Make an event return Event::constructFrom($payload); } diff --git a/tests/IntegrationTest.php b/tests/IntegrationTest.php index f92cce3..af6b018 100644 --- a/tests/IntegrationTest.php +++ b/tests/IntegrationTest.php @@ -165,4 +165,32 @@ public function a_request_with_a_config_key_will_use_the_correct_signing_secret( ->postJson('mailgun-webhooks/somekey', $payload) ->assertSuccessful(); } + + + /** @test */ + public function an_invalid_signature_value_generates_a_500_error() + { + $payload = [ + 'event-data' => [ + 'event' => 'my.type', + 'key' => 'value', + ], + ]; + + Arr::set($payload, 'signature', [ + 'timestamp' => time(), + 'token' => 'some token', + 'signature' => 'invalid_signature' + ]); + + $this + ->postJson('mailgun-webhooks', $payload) + ->assertStatus(500); + + $this->assertCount(0, WebhookCall::get()); + + Event::assertNotDispatched('mailgun-webhooks::my.type'); + + $this->assertNull(cache('dummyjob')); + } }