Hook.io webhook to prevent Github commits spoofed by the pusher (not authored by him. git allows you to modify commit authors at will, so you can impersonate other users)

hook.io_commit_author_spoof_check.js

// The hook variable has a bunch of information about the request, check hook.io's documentation to learn more about it
module['exports'] = function accessRequestData (hook) {
  var request = require('request');
  var OAuth_token = hook.env.token; 
  // After creating your token on Github.com -> Settings -> Personal access tokens, 
  // add the token as an environment variable names 'token' on hook.io.

  var params = hook.params;
  var pusher = params.pusher;
  var repo = params.repository.full_name;
  var sha = params.after;  
   
  var allow = true;
  var commits = params.commits;  
  for(var commit in commits){
    var author = commits[commit].author;
    
    if(author.email !== pusher.email /*|| author.name !== pusher.name*/){
      allow = false;
      break;
    }
  }
  
  if(allow){
    var status = {"state": "success", "description": "All ok!", "context": "security"};
    hook.res.write("Authorized.");
  } else {
    var status = {"state": "failure", "description": "Includes commits not from the pusher", "context": "security"};
    hook.res.write("Denied: contains commits not from the pusher!");
  }
  
  var bodyString=JSON.stringify(status);  
  request.post({
    url:     "https://api.github.com/repos/" + repo + "/statuses/" + sha,
    headers: {'User-Agent': 'Hook.io', 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(bodyString), 'Authorization': 'token ' + OAuth_token},    
    body:    bodyString
  }, function(error, response, body){
    //hook.res.write(error);
    //hook.res.write(response);
    hook.res.write(body);
    hook.res.write("done!");
    hook.res.end();
  });  
};