Merged add_webhook_secret

Dockerfile

@@ -5,3 +5,6 @@ EXPOSE 8080
 
 # Set this variable to the name of your production config file (without the extension)
 ENV NODE_ENV development
+
+# Set this variable to the value of the secret field of the Github webhook
+ENV WEBHOOK_SECRET ''

bot/index.js

@@ -118,7 +118,7 @@ const logTransaction = function (txId, from, to, amount, gasPrice) {
     logger.info("====================================================");
 }
 
-const log = function (msg) {
+const info = function (msg) {
     logger.info(msg);
 }
 
@@ -161,7 +161,7 @@ module.exports = {
     getAmount: getAmount,
     getGasPrice: prices.getGasPrice,
     sendTransaction: sendTransaction,
-    log: log,
+    info: info,
     logTransaction: logTransaction,
     error: error
 }

index.js

@@ -10,6 +10,8 @@
 
 const config = require('./config');
 const bot = require('./bot');
+const crypto = require('crypto');
+
 
 var express = require('express'),
     cors = require('cors'),
@@ -23,28 +25,74 @@ app.use(helmet());
 
 // Receive a POST request at the url specified by an env. var.
 app.post(`${config.urlEndpoint}`, jsonParser, function (req, res, next) {
+
     if (!req.body || !req.body.action) {
         return res.sendStatus(400);
     } else if (!bot.needsFunding(req)) {
         return res.sendStatus(204);
     }
+
+    validation = validateRequest(req);
+
+    if (validation.correct) {
+
         setTimeout(() => {
             processRequest(req)
                 .then(() => {
-                bot.info('issue well funded: ' + res.body.issue.url);
+                    bot.info('issue well funded: ' + req.body.issue.url);
                 })
                 .catch((err) => {
-                bot.error('Error funding issue: ' + req.body.issue.url);
+                    bot.error('Error processing request: ' + req.body.issue.url);
                     bot.error('error: ' + err);
-                bot.error('dump: ' + req);
+                    bot.error('dump: ' + req.body);
                 });
         }, config.delayInMiliSeconds);
 
+    } else {
+        bot.error('Error validating issue: ' + req.body.issue.url);
+        bot.error('error: ' + validation.error);
+    }
     return res.sendStatus(200);
 });
 
+const validateRequest = function (req) {
+    validation = {correct: false, error: ''};
+    webhookSecret = process.env.WEBHOOK_SECRET;
+
+    if(!webhookSecret) {
+        validation.error = 'Github Webhook Secret key not found. ' +
+        'Please set env variable WEBHOOK_SECRET to github\'s webhook secret value';
+    } else {
+
+        const blob = JSON.stringify(req.body);
+        const hmac = crypto.createHmac('sha1', webhookSecret);
+        const ourSignature = `sha1=${hmac.update(blob).digest('hex')}`;
+
+        const theirSignature = req.get('X-Hub-Signature');
+
+        const bufferA = Buffer.from(ourSignature, 'utf8');
+        const bufferB = Buffer.from(theirSignature, 'utf8');
+
+        const safe = crypto.timingSafeEqual(bufferA, bufferB);
+
+        if (safe) {
+            validation.correct = true;
+        } else {
+            validation.error = 'Invalid signature. Check that WEBHOOK_SECRET ' +
+            'env variable matches github\'s webhook secret value';
+        }
+    }
+
+    return validation;
+}
+
 const processRequest = function (req) {
+<<<<<<< HEAD
     const wallet = bot.wallet;
+=======
+
+    const eth = bot.eth;
+>>>>>>> add_webhook_secret
     const from = config.sourceAddress;
     const to = bot.getAddress(req);
 
@@ -74,5 +122,5 @@ const processRequest = function (req) {
 
 const port = process.env.PORT || 8181
 app.listen(port, function () {
-    bot.log('Autobounty listening on port', port);
+    bot.info('Autobounty listening on port', port);
 });

readme.md

@@ -31,7 +31,10 @@ All issues tagged with **[bounty](https://github.com/status-im/status-react/issu
 
 Autobounty is build using docker. Before building the image, you need to set up a configuration as follows:
 
-The [config]() folder contains the files for configuring the bot. The description for the variables can be found in *default.js*. Create a production config file (e.g. *production.js*) uing the {default,development}.js as template to override the default ones. **Remeber** to set the environment variable *NODE_ENV* in the dockerfile (e.g. `ENV NODE_ENV production`). 
+The [config]() folder contains the files for configuring the bot. The description for the variables can be found in *default.js*. Create a production config file (e.g. *production.js*) uing the {default,development}.js as template to override the default ones.
+
+**Remeber** to set the environment variable *NODE_ENV* in the dockerfile (e.g. `ENV NODE_ENV production`) and *WEBHOOK_SECRET* to the value specified in the secret field during the webhook creation (e.g. for random creation *ruby -rsecurerandom -e 'puts SecureRandom.hex(20)'*).
+)
 
 
 ```javascript
@@ -80,7 +83,7 @@ Create a github webhook with the following information:
 
 * Payoload URL: IP_HOST/URL_ENDPOINT
 * Content Type: application/json
-* Secret: blank
+* Secret: the value you set for environment variable WEBHOOK_SECRET.
 * Configure the webhook to be triggered by comments in issues selecting the Issue Comment box in 'Let me select individual events'
 
 Where *IP_HOST* is the ip of the machine running the docker image and *URL_ENDPOINT* is the configuration variable with the same name in your custom config file.