📦 Add user install webhook endpoints

Author: Kile

.env.template

@@ -8,4 +8,6 @@ API_KEY="key used in Killua API"
 MODE="dev"
 HASH_SECRET="hash secret"
 GF_SECURITY_ADMIN_USER="admin"
-GF_SECURITY_ADMIN_PASSWORD="admin"
+GF_SECURITY_ADMIN_PASSWORD="admin"
+ADMIN_IDS=""
+PUBLIC_KEY=""

api/Cargo.lock

@@ -19,3 +19,6 @@ toml = "0.8.23"
 zmq = "0.10.0"
 reqwest = { version = "0.11", features = ["json"] }
 chrono = { version = "0.4", features = ["serde"] }
+ed25519-dalek = "2.0.0"
+hex = "0.4.3"
+rand = { version = "0.8.5", features = ["std"] }

api/Cargo.toml

@@ -1,15 +1,16 @@
 ## defaults for _all_ profiles
 [default]
 address = "0.0.0.0"
-limits = { form = "64 kB", json = "1 MiB" }
+limits = { form = "64 kB", json = "1 MiB", data-form = "500 MiB" }
 
 ## set only when compiled in debug mode, i.e, `cargo build`
 [debug]
 port = 7650
 ## only the `json` key from `default` will be overridden; `form` will remain
-limits = { json = "10MiB" }
+limits = { json = "10MiB", data-form = "500 MiB" }
 
 ## set only when compiled in release mode, i.e, `cargo build --release`
 [release]
 port = 7650
-ip_header = false
+ip_header = false
+limits = { data-form = "500 MiB" }

api/Rocket.toml

@@ -13,6 +13,7 @@ mod tests;
 use routes::cards::{get_cards, get_public_cards};
 use routes::commands::get_commands;
 use routes::diagnostics::get_diagnostics;
+use routes::discord_webhooks::{handle_discord_webhook, webhook_health_check};
 use routes::image::{delete, edit, image, list, upload};
 use routes::stats::get_stats;
 use routes::update::{update, update_cors};
@@ -44,6 +45,8 @@ fn rocket() -> _ {
                 update_cors,
                 get_userinfo,
                 get_userinfo_by_id,
+                handle_discord_webhook,
+                webhook_health_check,
             ],
         )
         .attach(db::init())

api/src/main.rs

@@ -0,0 +1,145 @@
+use ed25519_dalek::{Signature, Verifier, VerifyingKey};
+use hex;
+use rocket::http::Status;
+use rocket::request::{FromRequest, Outcome};
+use serde::{Deserialize, Serialize};
+use std::env;
+
+#[derive(Debug, Serialize, Deserialize)]
+pub struct SignatureError {
+    pub error: String,
+}
+
+#[derive(Debug)]
+pub struct DiscordSignature {
+    #[allow(dead_code)]
+    pub signature: String,
+    #[allow(dead_code)]
+    pub timestamp: String,
+}
+
+#[rocket::async_trait]
+impl<'r> FromRequest<'r> for DiscordSignature {
+    type Error = SignatureError;
+
+    async fn from_request(request: &'r rocket::Request<'_>) -> Outcome<Self, Self::Error> {
+        // Get required headers
+        let signature = match request.headers().get_one("X-Signature-Ed25519") {
+            Some(sig) => sig.to_string(),
+            None => {
+                return Outcome::Error((
+                    Status::Unauthorized,
+                    SignatureError {
+                        error: "Missing X-Signature-Ed25519 header".to_string(),
+                    },
+                ));
+            }
+        };
+
+        let timestamp = match request.headers().get_one("X-Signature-Timestamp") {
+            Some(ts) => ts.to_string(),
+            None => {
+                return Outcome::Error((
+                    Status::Unauthorized,
+                    SignatureError {
+                        error: "Missing X-Signature-Timestamp header".to_string(),
+                    },
+                ));
+            }
+        };
+
+        Outcome::Success(DiscordSignature {
+            signature,
+            timestamp,
+        })
+    }
+}
+
+// Helper function to verify Discord signature
+#[allow(dead_code)]
+pub fn verify_discord_signature(
+    public_key: &str,
+    signature: &str,
+    timestamp: &str,
+    body: &str,
+) -> bool {
+    // Parse the public key
+    let public_key_bytes = match hex::decode(public_key) {
+        Ok(bytes) => {
+            if bytes.len() != 32 {
+                return false;
+            }
+            let mut array = [0u8; 32];
+            array.copy_from_slice(&bytes);
+            array
+        }
+        Err(_) => return false,
+    };
+
+    // Parse the signature
+    let signature_bytes = match hex::decode(signature) {
+        Ok(bytes) => {
+            if bytes.len() != 64 {
+                return false;
+            }
+            let mut array = [0u8; 64];
+            array.copy_from_slice(&bytes);
+            array
+        }
+        Err(_) => return false,
+    };
+
+    // Create the message to verify (timestamp + body)
+    let message = format!("{}{}", timestamp, body);
+    let message_bytes = message.as_bytes();
+
+    // Create the verifying key
+    let verifying_key = match VerifyingKey::from_bytes(&public_key_bytes) {
+        Ok(key) => key,
+        Err(_) => return false,
+    };
+
+    // Create the signature
+    let signature = Signature::from(signature_bytes);
+
+    // Verify the signature
+    verifying_key.verify(message_bytes, &signature).is_ok()
+}
+
+// Function to validate Discord webhook request
+#[allow(dead_code)]
+pub fn validate_discord_webhook(
+    signature_header: Option<&str>,
+    timestamp_header: Option<&str>,
+    body: &str,
+) -> Result<(), Status> {
+    // Get the public key from environment variable
+    let public_key = match env::var("PUBLIC_KEY") {
+        Ok(key) => key,
+        Err(_) => {
+            return Err(Status::InternalServerError);
+        }
+    };
+
+    // Get required headers
+    let signature = match signature_header {
+        Some(sig) => sig,
+        None => {
+            return Err(Status::Unauthorized);
+        }
+    };
+
+    let timestamp = match timestamp_header {
+        Some(ts) => ts,
+        None => {
+            return Err(Status::Unauthorized);
+        }
+    };
+
+    // Verify the signature
+    if verify_discord_signature(&public_key, signature, timestamp, body) {
+        Ok(())
+    } else {
+        Err(Status::Unauthorized)
+    }
+}