Fixed sha1 token checking for GitHub webhooks

Author: valzargaming

src/Civ13/HttpServiceManager.php

@@ -302,10 +302,10 @@ function (ServerRequestInterface $request, string $endpoint, bool $whitelisted):
                         if (isset($this->civ13->channel_ids['staff_bot']) && $channel = $this->discord->getChannel($this->civ13->channel_ids['staff_bot'])) $this->civ13->sendMessage($channel, $tech_ping . "Unauthorized Request Headers on `$endpoint` endpoint: " . json_encode($headers));
                         return new HttpResponse(HttpResponse::STATUS_UNAUTHORIZED);
                     }
-                    // Secret isn't working right now, so we're not using it
-                    //$hash = "sha1=".hash_hmac('sha1', @file_get_contents("php://input"), getenv('github_secret')); // GitHub Webhook Secret is the same as the 'Secret' field on the Webhooks / Manage webhook page of the respostory
-                    //if (strcmp($signature, $hash) == 0) {
-                        //if (isset($this->civ13->channel_ids['staff_bot']) && $channel = $this->discord->getChannel($this->civ13->channel_ids['staff_bot'])) $this->civ13->sendMessage($channel, 'GitHub push event webhook received');
+                    if ($signature !== $hash = 'sha1=' . hash_hmac('sha1', $request->getBody(), getenv('github_secret'))) {
+                        $this->logger->warning("Unauthorized Request Signature on `$endpoint` endpoint: `$signature` != `$hash`");
+                        return new HttpResponse(HttpResponse::STATUS_UNAUTHORIZED);
+                    }
                     if (! $channel = $this->discord->getChannel($this->civ13->channel_ids['staff_bot'])) return HttpResponse::plaintext('Discord Channel Not Found')->withStatus(HttpResponse::STATUS_INTERNAL_SERVER_ERROR);
                     $promise = $this->civ13->sendMessage($channel, 'Updating code from GitHub... (1/3)');
                     OSFunctions::execInBackground('git pull');