Signature patch

src/Exceptions/WebhookFailed.php

@@ -7,6 +7,11 @@
 
 class WebhookFailed extends Exception
 {
+    public static function invalidSignature(): self
+    {
+        return new static('The signature is invalid.');
+    }
+
     public static function signingSecretNotSet(): self
     {
         return new static('The webhook signing secret is not set. Make sure that the `signing_secret` config key is set to the correct value.');

src/Webhook.php

@@ -2,20 +2,26 @@
 
 namespace BinaryCats\MailgunWebhooks;
 
+use BinaryCats\MailgunWebhooks\Exceptions\WebhookFailed;
+
 class Webhook
 {
     /**
      * Validate and raise an appropriate event.
      *
      * @param  $payload
-     * @param  array $signature
-     * @param  string $secret
+     * @param array $signature
+     * @param string $secret
      * @return BinaryCats\MailgunWebhooks\Event
+     * @throws WebhookFailed
      */
     public static function constructEvent(array $payload, array $signature, string $secret): Event
     {
         // verify we are good, else throw an expection
-        WebhookSignature::make($signature, $secret)->verify();
+        if (!WebhookSignature::make($signature, $secret)->verify()) {
+            throw WebhookFailed::invalidSignature();
+        }
+
         // Make an event
         return Event::constructFrom($payload);
     }

tests/IntegrationTest.php

@@ -159,10 +159,38 @@ public function a_request_with_a_config_key_will_use_the_correct_signing_secret(
             ],
         ];
 
-        Arr::set($payload, 'signature', $this->determineMailgunSignature($payload));
+        Arr::set($payload, 'signature', $this->determineMailgunSignature($payload, 'somekey'));
 
         $this
             ->postJson('mailgun-webhooks/somekey', $payload)
             ->assertSuccessful();
     }
+
+
+    /** @test */
+    public function an_invalid_signature_value_generates_a_500_error()
+    {
+        $payload = [
+            'event-data' => [
+                'event' => 'my.type',
+                'key' => 'value',
+            ],
+        ];
+
+        Arr::set($payload, 'signature', [
+            'timestamp' => time(),
+            'token' => 'some token',
+            'signature' => 'invalid_signature'
+        ]);
+
+        $this
+            ->postJson('mailgun-webhooks', $payload)
+            ->assertStatus(500);
+
+        $this->assertCount(0, WebhookCall::get());
+
+        Event::assertNotDispatched('mailgun-webhooks::my.type');
+
+        $this->assertNull(cache('dummyjob'));
+    }
 }

tests/TestCase.php

@@ -87,7 +87,7 @@ protected function determineMailgunSignature(array $payload, string $configKey =
         return [
             'timestamp' => $timestamp,
             'token' => $token,
-            'signature' => hash_hmac('sha256', "{$timestamp}.{$token}", $secret),
+            'signature' => hash_hmac('sha256', "{$timestamp}{$token}", $secret),
         ];
     }
 }