impl verification on payloads

Author: Emilgardis

Cargo.toml

@@ -26,6 +26,8 @@ serde_repr = "0.1.6"
 reqwest = { version = "0.11.0", optional = true }
 surf = { version = "2.1.0", optional = true }
 http-types = { version = "2.10.0", optional = true, features = ["hyperium_http"] }
+sha2 = { version = "0.9.3", optional = true }
+crypto_hmac = { package = "hmac", version = "0.10.1", optional = true }
 
 [features]
 default = []
@@ -57,7 +59,9 @@ pubsub = ["serde_json"]
 
 eventsub = ["serde_json"]
 
-all = ["tmi", "helix", "surf_client", "reqwest_client", "client", "pubsub", "eventsub"]
+hmac = ["crypto_hmac","sha2"]
+
+all = ["tmi", "helix", "surf_client", "reqwest_client", "client", "pubsub", "eventsub", "hmac"]
 
 [dev-dependencies]
 tokio = { version = "1.2.0", features = ["rt-multi-thread", "macros"] }

src/eventsub/mod.rs

@@ -155,6 +155,66 @@ impl Payload {
     pub fn parse_http(request: &http::Request<Vec<u8>>) -> Result<Payload, PayloadParseError> {
         Payload::parse(std::str::from_utf8(request.body())?)
     }
+
+    /// Verify that this payload is authentic using `HMAC-SHA256`.
+    ///
+    /// HMAC key is `secret`, HMAC message is a concatenation of `Twitch-Eventsub-Message-Id` header, `Twitch-Eventsub-Message-Timestamp` header and the request body.
+    /// HMAC signature is `Twitch-Eventsub-Message-Signature` header
+    #[cfg(feature = "hmac")]
+    #[cfg_attr(nightly, doc(cfg(feature = "hmac")))]
+    pub fn verify_payload(request: &http::Request<Vec<u8>>, secret: &[u8]) -> bool {
+        use crypto_hmac::{Hmac, Mac, NewMac};
+
+        fn message_and_signature(request: &http::Request<Vec<u8>>) -> Option<(Vec<u8>, Vec<u8>)> {
+            static SHA_HEADER: &str = "sha256=";
+
+            let id = request
+                .headers()
+                .get("Twitch-Eventsub-Message-Id")?
+                .as_bytes();
+            let timestamp = request
+                .headers()
+                .get("Twitch-Eventsub-Message-Timestamp")?
+                .as_bytes();
+            let body = request.body();
+
+            let mut message = Vec::with_capacity(id.len() + timestamp.len() + body.len());
+            message.extend_from_slice(&id);
+            message.extend_from_slice(&timestamp);
+            message.extend_from_slice(&body);
+
+            let signature = request
+                .headers()
+                .get("Twitch-Eventsub-Message-Signature")?
+                .to_str()
+                .ok()?;
+            if !signature.starts_with(&SHA_HEADER) {
+                return None;
+            }
+            let signature = signature.split_at(SHA_HEADER.len()).1;
+            if signature.len() % 2 == 0 {
+                // Convert signature to [u8] from hex digits
+                // Hex decode inspired by https://stackoverflow.com/a/52992629
+                let signature = ((0..signature.len())
+                    .step_by(2)
+                    .map(|i| u8::from_str_radix(&signature[i..i + 2], 16))
+                    .collect::<Result<Vec<u8>, _>>())
+                .ok()?;
+
+                Some((message, signature))
+            } else {
+                None
+            }
+        }
+
+        if let Some((message, signature)) = message_and_signature(request) {
+            let mut mac = Hmac::<sha2::Sha256>::new_varkey(secret).expect("");
+            mac.update(&message);
+            mac.verify(&signature).is_ok()
+        } else {
+            false
+        }
+    }
 }
 
 /// Errors that can happen when parsing payload
@@ -517,5 +577,37 @@ fn test_verification_response() {
 
     let val = dbg!(crate::eventsub::Payload::parse(&body).unwrap());
     crate::tests::roundtrip(&val)
-    dbg!(crate::eventsub::Payload::parse(&body).unwrap());
+}
+
+#[test]
+fn verify_request() {
+    use http::header::{HeaderMap, HeaderName, HeaderValue};
+
+    let secret = b"secretabcd";
+    #[rustfmt::skip]
+    let headers: HeaderMap = vec![
+        ("Content-Length", "458"),
+        ("Content-Type", "application/json"),
+        ("Twitch-Eventsub-Message-Id", "ae2ff348-e102-16be-a3eb-6830c1bf38d2"),
+        ("Twitch-Eventsub-Message-Retry", "0"),
+        ("Twitch-Eventsub-Message-Signature", "sha256=d10f5bd9474b7ac7bd7105eb79c2d52768b4d0cd2a135982c3bf5a1d59a78823"),
+        ("Twitch-Eventsub-Message-Timestamp", "2021-02-19T23:47:00.8091512Z"),
+        ("Twitch-Eventsub-Message-Type", "notification"),
+        ("Twitch-Eventsub-Subscription-Type", "channel.follow"),
+        ("Twitch-Eventsub-Subscription-Version", "1"),
+    ].into_iter()
+        .map(|(h, v)| {
+            (
+                h.parse::<HeaderName>().unwrap(),
+                v.parse::<HeaderValue>().unwrap(),
+            )
+        })
+        .collect();
+
+    let body = r#"{"subscription":{"id":"ae2ff348-e102-16be-a3eb-6830c1bf38d2","status":"enabled","type":"channel.follow","version":"1","condition":{"broadcaster_user_id":"44429626"},"transport":{"method":"webhook","callback":"null"},"created_at":"2021-02-19T23:47:00.7621315Z"},"event":{"user_id":"28408015","user_login":"testFromUser","user_name":"testFromUser","broadcaster_user_id":"44429626","broadcaster_user_login":"44429626","broadcaster_user_name":"testBroadcaster"}}"#;
+    let mut request = http::Request::builder();
+    let _ = std::mem::replace(request.headers_mut().unwrap(), headers);
+    let request = request.body(body.as_bytes().to_vec()).unwrap();
+    dbg!(&body);
+    assert!(crate::eventsub::Payload::verify_payload(&request, secret));
 }

src/lib.rs

@@ -58,6 +58,7 @@
 //! | <span class="module-item stab portability" style="display: inline; border-radius: 3px; padding: 2px; font-size: 80%; line-height: 1.2;"><code>pubsub</code></span> | Enables deserializable structs for [PubSub](pubsub) |
 //! | <span class="module-item stab portability" style="display: inline; border-radius: 3px; padding: 2px; font-size: 80%; line-height: 1.2;"><code>surf_client</code></span> | Enables surf for [`HttpClient`] |
 //! | <span class="module-item stab portability" style="display: inline; border-radius: 3px; padding: 2px; font-size: 80%; line-height: 1.2;"><code>reqwest_client</code></span> | Enables reqwest for [`HttpClient`] |
+//! | <span class="module-item stab portability" style="display: inline; border-radius: 3px; padding: 2px; font-size: 80%; line-height: 1.2;"><code>hmac</code></span> | Enable [message authentication](eventsub::Payload::verify_payload) using HMAC on [EventSub](eventsub) |
 //! | <span class="module-item stab portability" style="display: inline; border-radius: 3px; padding: 2px; font-size: 80%; line-height: 1.2;"><code>all</code></span> | Enables all above features. Including reqwest and surf. Do not use this in production, it's better if you specify exactly what you need |
 //! | <span class="module-item stab portability" style="display: inline; border-radius: 3px; padding: 2px; font-size: 80%; line-height: 1.2;"><code>unsupported</code></span> | Enables undocumented or experimental endpoints or topics. Breakage may occur |
 //! | <span class="module-item stab portability" style="display: inline; border-radius: 3px; padding: 2px; font-size: 80%; line-height: 1.2;"><code>allow_unknown_fields</code></span> | Removes `#[serde(deny_unknown_fields)]` on all applicable structs/enums |