From 55aa41acfd64c3dd75e183b3980fa712149ebabb Mon Sep 17 00:00:00 2001
From: FreneticScribbler <aj@aronajones.com>
Date: Tue, 27 Jun 2023 00:42:22 +0100
Subject: [PATCH] More fiddling with auth

---
 RIGS/views/rigboard.py | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/RIGS/views/rigboard.py b/RIGS/views/rigboard.py
index 07f1365d..59bc8bbe 100644
--- a/RIGS/views/rigboard.py
+++ b/RIGS/views/rigboard.py
@@ -5,6 +5,7 @@ import premailer
 import simplejson
 import urllib
 import hmac
+import hashlib
 
 from envparse import env
 from bs4 import BeautifulSoup
@@ -408,13 +409,15 @@ class RecieveForumWebhook(generic.View):
         return super().dispatch(request, *args, **kwargs)
 
     def post(self, request, *args, **kwargs):
-        computed = f"sha256={hmac.new(env('FORUM_WEBHOOK_SECRET').encode(), request.body, digestmod='sha256').hexdigest()}"
-        if request.POST.get('X-Discourse-Event-Signature') == computed: #  and request.POST.get('X-Discourse-Event') == "topic_created":
-            body = json.loads(request.body.decode('utf-8'))
-            event_id = int(body['title'][1:5]) # find the ID, force convert it to an int to eliminate leading zeros
-            event = models.Event.objects.filter(pk=event_id).first()
-            if event:
-                event.forum_url = "https://forum.nottinghamtec.co.uk/t/{}"
-                event.save()
-                return HttpResponse(status=200)
+        hmac = hmac.new(env('FORUM_WEBHOOK_SECRET').encode(), request.body, hashlib.sha256).hexdigest()
+        computed = f"sha256={hmac}"
+        if not hmac.compare_digest(request.POST.get('X-Discourse-Event-Signature'), computed):
+            return HttpResponseForbidden('Invalid signature header')
+        body = json.loads(request.body.decode('utf-8'))
+        event_id = int(body['title'][1:5]) # find the ID, force convert it to an int to eliminate leading zeros
+        event = models.Event.objects.filter(pk=event_id).first()
+        if event:
+            event.forum_url = "https://forum.nottinghamtec.co.uk/t/{}"
+            event.save()
+            return HttpResponse(status=202)
         return HttpResponse(status=204)