Created
November 23, 2021 00:52
-
-
Save sminnee/92f71d03c0d374963e46a76d221fb8a8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/server/simpro/api/auth.py b/server/simpro/api/auth.py | |
index 76b12354..7b031d4d 100644 | |
--- a/server/simpro/api/auth.py | |
+++ b/server/simpro/api/auth.py | |
@@ -80,6 +80,9 @@ def save_user_auth(user: User, organization: Organization, build_domain: str, ac | |
class IsValidSimproRequest(BasePermission): | |
def has_permission(self, request: Request, view: View): | |
+ # Fetch this before getting request data, otherwise it fails | |
+ body = request._request.body | |
+ | |
integration_domain = request.data.get('build') | |
organization_code = view.kwargs.get('organization_code') | |
signature = request.META.get('HTTP_X_RESPONSE_SIGNATURE') | |
@@ -91,17 +94,8 @@ class IsValidSimproRequest(BasePermission): | |
webhook_secret = integration.data.get('webhook_secret') if integration.data else None | |
if not webhook_secret: | |
return False | |
- request_body_stream: Union[BytesIO, HttpRequest] = request.stream | |
- request_body_stream.read() | |
- if isinstance(request_body_stream, BytesIO): | |
- request_body_stream.seek(0) | |
- elif hasattr(request_body_stream, '_stream'): | |
- # On some platforms (Mac), request.stream will return the inner request rather than the request stream. | |
- # This seems to be caused by the request parser reading the request before permissions have been run. | |
- # In this case, we need to reset the stream to the beginning before reading, but this is only possible | |
- # by accessing the protected member "_stream". | |
- request_body_stream._stream.seek(0) | |
+ | |
hmac_digest = hmac.new(key=webhook_secret.encode(), | |
- msg=request_body_stream.read(), | |
+ msg=body, | |
digestmod=hashlib.sha1).hexdigest() | |
return hmac.compare_digest(signature, str(hmac_digest)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment