Correctly handle malformed signature

Author: dnsge

handler.go

@@ -109,10 +109,7 @@ func (s *SubHandler) handlePost(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if s.doSignatureVerification {
-		if valid, err := VerifyRequestSignature(r, bodyBytes, s.signatureSecret); err != nil {
-			http.Error(w, "Internal Server Error", http.StatusBadRequest)
-			return
-		} else if !valid {
+		if valid, err := VerifyRequestSignature(r, bodyBytes, s.signatureSecret); err != nil || !valid {
 			http.Error(w, "Invalid request signature", http.StatusForbidden)
 			return
 		}

handler_test.go

@@ -26,9 +26,15 @@ func TestSubHandler_ServeHTTP_VerificationBasic(t *testing.T) {
 
 func TestSubHandler_ServeHTTP_VerificationInvalidSignature(t *testing.T) {
 	handler := NewSubHandler(true, []byte(secret))
+
+	// Test invalid signature
 	res := handleRequest(handler, newBadVerificationRequest)
 	_ = res.Body.Close()
+	assert.Equal(t, res.StatusCode, http.StatusForbidden)
 
+	// Test request with malformed signature
+	res = handleRequest(handler, newInvalidVerificationRequest)
+	_ = res.Body.Close()
 	assert.Equal(t, res.StatusCode, http.StatusForbidden)
 }
 
@@ -111,6 +117,13 @@ func newVerificationRequest() *http.Request {
 	return req
 }
 
+func newInvalidVerificationRequest() *http.Request {
+	req := newVerificationRequest()
+	// overwrite header with invalid signature
+	req.Header.Set("Twitch-Eventsub-Message-Signature", "hey this is not valid")
+	return req
+}
+
 func newBadVerificationRequest() *http.Request {
 	req := newVerificationRequest()
 	// overwrite header with invalid signature