jonchurch/verify_xhub_fb.js

## verify_xhub_fb.js

var crypto = require('crypto');
var bodyParser = require('body-parser');
var debug = require('debug')('botkit:verify_xhub_fb');

module.exports = function(webserver, controller) {

  if (controller.config.validate_requests === true) {
      // Load verify middleware just for post route on our receive webhook, and catch any errors it might throw to prevent the request from being parsed further.
      webserver.post('/facebook/receive', bodyParser.json({verify: verifyRequest}));
      webserver.use(abortOnValidationError);
  }

  // Verifies the SHA1 signature of the raw request payload before bodyParser parses it
  // Will abort parsing if signature is invalid, and pass a generic error to response
  function verifyRequest(req, res, buf, encoding) {
      var expected = req.headers['x-hub-signature'];
      var calculated = getSignature(buf);
      if (expected !== calculated) {
          throw new Error('Invalid signature on incoming request');
      } else {
          // debug('** X-Hub Verification successful!')
      }

  }
   function getSignature(buf) {
          var hmac = crypto.createHmac('sha1', controller.config.app_secret);
          hmac.update(buf, 'utf-8');
          return 'sha1=' + hmac.digest('hex');
      }

      function abortOnValidationError(err, req, res, next) {
          if (err) {
              controller.log('** Invalid X-HUB signature on incoming request!');
              debug('** X-HUB Validation Error:', err);
              res.status(400).send({
                  error: 'Invalid signature.'
              });
          } else {
              next();
          }
      }

}

	var crypto = require('crypto');
	var bodyParser = require('body-parser');
	var debug = require('debug')('botkit:verify_xhub_fb');

	module.exports = function(webserver, controller) {

	if (controller.config.validate_requests === true) {
	// Load verify middleware just for post route on our receive webhook, and catch any errors it might throw to prevent the request from being parsed further.
	webserver.post('/facebook/receive', bodyParser.json({verify: verifyRequest}));
	webserver.use(abortOnValidationError);
	}

	// Verifies the SHA1 signature of the raw request payload before bodyParser parses it
	// Will abort parsing if signature is invalid, and pass a generic error to response
	function verifyRequest(req, res, buf, encoding) {
	var expected = req.headers['x-hub-signature'];
	var calculated = getSignature(buf);
	if (expected !== calculated) {
	throw new Error('Invalid signature on incoming request');
	} else {
	// debug('** X-Hub Verification successful!')
	}

	}
	function getSignature(buf) {
	var hmac = crypto.createHmac('sha1', controller.config.app_secret);
	hmac.update(buf, 'utf-8');
	return 'sha1=' + hmac.digest('hex');
	}

	function abortOnValidationError(err, req, res, next) {
	if (err) {
	controller.log('** Invalid X-HUB signature on incoming request!');
	debug('** X-HUB Validation Error:', err);
	res.status(400).send({
	error: 'Invalid signature.'
	});
	} else {
	next();
	}
	}

	}