More fiddling with auth

2026-01-18 14:02:15 +00:00 · 2023-06-27 00:42:22 +01:00
parent 63eb3bebef
commit 55aa41acfd
1 changed files with 12 additions and 9 deletions
--- a/RIGS/views/rigboard.py
+++ b/RIGS/views/rigboard.py
@@ -5,6 +5,7 @@ import premailer
 import simplejson
 import urllib
 import hmac
+import hashlib

 from envparse import env
 from bs4 import BeautifulSoup
@@ -408,13 +409,15 @@ class RecieveForumWebhook(generic.View):
        return super().dispatch(request, *args, **kwargs)

    def post(self, request, *args, **kwargs):
-        computed = f"sha256={hmac.new(env('FORUM_WEBHOOK_SECRET').encode(), request.body, digestmod='sha256').hexdigest()}"
-        if request.POST.get('X-Discourse-Event-Signature') == computed: #  and request.POST.get('X-Discourse-Event') == "topic_created":
-            body = json.loads(request.body.decode('utf-8'))
-            event_id = int(body['title'][1:5]) # find the ID, force convert it to an int to eliminate leading zeros
-            event = models.Event.objects.filter(pk=event_id).first()
-            if event:
-                event.forum_url = "https://forum.nottinghamtec.co.uk/t/{}"
-                event.save()
-                return HttpResponse(status=200)
+        hmac = hmac.new(env('FORUM_WEBHOOK_SECRET').encode(), request.body, hashlib.sha256).hexdigest()
+        computed = f"sha256={hmac}"
+        if not hmac.compare_digest(request.POST.get('X-Discourse-Event-Signature'), computed):
+            return HttpResponseForbidden('Invalid signature header')
+        body = json.loads(request.body.decode('utf-8'))
+        event_id = int(body['title'][1:5]) # find the ID, force convert it to an int to eliminate leading zeros
+        event = models.Event.objects.filter(pk=event_id).first()
+        if event:
+            event.forum_url = "https://forum.nottinghamtec.co.uk/t/{}"
+            event.save()
+            return HttpResponse(status=202)
        return HttpResponse(status=204)