Fix streamKey not getting passed to webhook

Move webhook validation after stream profile policy
and use resolved streamkey

Author: michaelowens

internal/server/handlers/whip/whip.go

@@ -64,21 +64,6 @@ func WHIPHandler(responseWriter http.ResponseWriter, request *http.Request) {
 
 	var userProfile authorization.PublicProfile
 
-	// Stream requires webhook validation
-	if webhookURL := os.Getenv(environment.WebhookURL); webhookURL != "" {
-		streamKey, err := webhook.CallWebhook(webhookURL, webhook.WHIPConnect, token, request)
-		if err != nil {
-			responseWriter.WriteHeader(http.StatusUnauthorized)
-			return
-		}
-
-		userProfile = authorization.PublicProfile{
-			StreamKey: streamKey,
-			IsPublic:  true,
-			MOTD:      "Welcome to " + streamKey + "'s stream!",
-		}
-	}
-
 	// Stream profile policy
 	switch os.Getenv(environment.StreamProfilePolicy) {
 	// Only approved profiles are allowed to stream
@@ -118,6 +103,21 @@ func WHIPHandler(responseWriter http.ResponseWriter, request *http.Request) {
 		}
 	}
 
+	// Stream requires webhook validation
+	if webhookURL := os.Getenv(environment.WebhookURL); webhookURL != "" {
+		streamKey, err := webhook.CallWebhook(webhookURL, webhook.WHIPConnect, userProfile.StreamKey, request)
+		if err != nil {
+			responseWriter.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+
+		userProfile = authorization.PublicProfile{
+			StreamKey: streamKey,
+			IsPublic:  true,
+			MOTD:      "Welcome to " + streamKey + "'s stream!",
+		}
+	}
+
 	if request.Method == http.MethodPatch {
 
 		if contentType := request.Header.Get("Content-Type"); contentType != "application/trickle-ice-sdpfrag" {

internal/server/handlers/whip/whip_test.go

@@ -0,0 +1,57 @@
+package whip
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/glimesh/broadcast-box/internal/environment"
+	"github.com/glimesh/broadcast-box/internal/server/authorization"
+	"github.com/stretchr/testify/require"
+)
+
+type whipWebhookPayload struct {
+	Action      string `json:"action"`
+	BearerToken string `json:"bearerToken"`
+}
+
+func TestWHIPHandlerWebhookUsesResolvedStreamKey(t *testing.T) {
+	t.Setenv(environment.StreamProfilePath, t.TempDir())
+	t.Setenv(environment.StreamProfilePolicy, authorization.StreamPolicyReservedOnly)
+
+	const streamKey = "test_stream"
+	bearerToken, err := authorization.CreateProfile(streamKey)
+	require.NoError(t, err)
+
+	payloads := make(chan whipWebhookPayload, 1)
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		defer func() { _ = r.Body.Close() }()
+
+		var payload whipWebhookPayload
+		require.NoError(t, json.NewDecoder(r.Body).Decode(&payload))
+
+		payloads <- payload
+		w.WriteHeader(http.StatusUnauthorized)
+	}))
+	defer server.Close()
+
+	t.Setenv(environment.WebhookURL, server.URL)
+
+	req := httptest.NewRequest(http.MethodPost, "/api/whip", strings.NewReader("v=0"))
+	req.Header.Set("Authorization", "Bearer "+bearerToken)
+
+	resp := httptest.NewRecorder()
+	WHIPHandler(resp, req)
+
+	require.Equal(t, http.StatusUnauthorized, resp.Code)
+
+	select {
+	case payload := <-payloads:
+		require.Equal(t, "whip-connect", payload.Action)
+		require.Equal(t, streamKey, payload.BearerToken)
+	default:
+		require.Fail(t, "expected webhook to be called")
+	}
+}