Merge pull request #109 from nqkdev/master

marcel corso gonzalez · web-flow · commit 9e46bb9ad374 · 2021-09-24T13:13:32.000+02:00
Support new webhook signature method
diff --git a/go.mod b/go.mod
@@ -2,4 +2,7 @@ module github.com/messagebird/go-rest-api/v7
 
 go 1.14
 
-require github.com/stretchr/testify v1.7.0
+require (
+	github.com/golang-jwt/jwt v3.2.1+incompatible
+	github.com/stretchr/testify v1.7.0
+)
diff --git a/go.sum b/go.sum
@@ -1,8 +1,9 @@
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
+github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
diff --git a/signature/signature.go b/signature/signature.go
@@ -1,6 +1,9 @@
 /*
 Package signature implements signature verification for MessageBird webhooks.
 
+Deprecated: package signature is no longer supported. Use package
+signature_jwt instead.
+
 To use define a new validator using your MessageBird Signing key.  You can use the
 ValidRequest method, just pass the request as a parameter:
 
@@ -57,6 +60,7 @@ type Validator struct {
 }
 
 // NewValidator returns a signature validator object.
+// Deprecated: Use signature_jwt.NewValidator(string) instead.
 func NewValidator(signingKey string) *Validator {
 	return &Validator{
 		SigningKey: signingKey,
@@ -110,6 +114,7 @@ func (v *Validator) validSignature(ts, rqp string, b []byte, rs string) bool {
 
 // ValidRequest is a method that takes care of the signature validation of
 // incoming requests.
+// Deprecated: Use signature_jwt.Validator.ValidateSignature(*http.Request, string) instead.
 func (v *Validator) ValidRequest(r *http.Request) error {
 	ts := r.Header.Get(tsHeader)
 	rs := r.Header.Get(sHeader)
@@ -127,6 +132,7 @@ func (v *Validator) ValidRequest(r *http.Request) error {
 // Validate is a handler wrapper that takes care of the signature validation of
 // incoming requests and rejects them if invalid or pass them on to your handler
 // otherwise.
+// Deprecated: Use signature_jwt.Validator.Validate(http.Handler) instead.
 func (v *Validator) Validate(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if err := v.ValidRequest(r); err != nil {
diff --git a/signature_jwt/claims.go b/signature_jwt/claims.go
@@ -0,0 +1,77 @@
+package signature_jwt
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt"
+)
+
+// maxSkew is the maximum time skew that we accept.  Sometimes the Internet is *so* fast
+// that messages are received before they are sent, or the clocks of two servers are not
+// in-sync, whichever cause seems more likely to you.
+const maxSkew = 1 * time.Second
+
+// Claims replaces jwt.StandardClaims as it checks all aspects of the the JWT token that
+// have been specified by the MessageBird RFC.
+type Claims struct {
+	// The following 3 fields are added to Claims before JWT is parsed so that the
+	// immediately following call to Valid() by jwt-go has *all* necessary information to
+	// determine whether JWT is valid.  These fields should not be overwritten by JSON
+	// unmarshal.
+	receivedTime       time.Time
+	correctPayloadHash string
+	correctURLHash     string
+	skipURLValidation  bool
+
+	Issuer         string `json:"iss"`
+	NotBefore      int64  `json:"nbf"`
+	ExpirationTime int64  `json:"exp"`
+	JWTID          string `json:"jti"`
+	URLHash        string `json:"url_hash"`
+	PayloadHash    string `json:"payload_hash,omitempty"`
+}
+
+// Valid is called by jwt-go after the Claims struct has been filled.  If an error is
+// returned, it means that the JWT should not be trusted.
+func (c Claims) Valid() error {
+	var errs []string
+
+	if c.Issuer != "MessageBird" {
+		errs = append(errs, "claim iss has wrong value")
+	}
+
+	if iat := time.Unix(c.NotBefore, int64(c.receivedTime.Nanosecond())).Add(-maxSkew); c.receivedTime.Before(iat) {
+		errs = append(errs, "claim nbf is in the future")
+	}
+
+	if exp := time.Unix(c.ExpirationTime, int64(c.receivedTime.Nanosecond())).Add(maxSkew); c.receivedTime.After(exp) {
+		errs = append(errs, "claim exp is in the past")
+	}
+
+	if c.JWTID == "" {
+		errs = append(errs, "claim jti is empty or missing")
+	}
+
+	if !c.skipURLValidation && c.correctURLHash != c.URLHash {
+		errs = append(errs, "claim url_hash is invalid")
+	}
+
+	switch {
+	case c.correctPayloadHash == "" && c.PayloadHash != "":
+		errs = append(errs, "claim payload_hash is set but actual payload is missing")
+	case c.correctPayloadHash != "" && c.PayloadHash == "":
+		errs = append(errs, "claim payload_hash is not set but payload is present")
+	case c.correctPayloadHash != c.PayloadHash:
+		errs = append(errs, "claim payload_hash is invalid")
+	}
+
+	if len(errs) == 0 {
+		return nil
+	}
+	return fmt.Errorf("%s", strings.Join(errs, "; "))
+}
+
+// Claims satisfies jwt.Claims.
+var _ jwt.Claims = Claims{}
diff --git a/signature_jwt/signature.go b/signature_jwt/signature.go
@@ -0,0 +1,159 @@
+/*
+Package signature_jwt implements signature verification for MessageBird webhooks.
+
+To use define a new validator using your MessageBird Signing key. Can be
+retrieved from https://dashboard.messagebird.com/developers/settings.
+This is NOT your API key.
+
+You can use the ValidateRequest method, just pass the request and base url as parameters:
+
+    validator := signature_jwt.NewValidator([]byte("your signing key"))
+	baseUrl := "https://yourdomain.com"
+    if err := validator.ValidateRequest(r, baseUrl); err != nil {
+        // handle error
+    }
+
+Or use the handler as a middleware for your server:
+
+	http.Handle("/path", validator.Validate(YourHandler, baseUrl))
+
+It will reject the requests that contain invalid signatures.
+
+For more information, see https://developers.messagebird.com/docs/verify-http-requests
+*/
+package signature_jwt
+
+import (
+	"bytes"
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"time"
+
+	"github.com/golang-jwt/jwt"
+)
+
+const signatureHeader = "MessageBird-Signature-JWT"
+
+// TimeFunc provides the current time same as time.Now but can be overridden for testing.
+var TimeFunc = time.Now
+
+// allowedMethods lists the signing methods that we accept.  We only allow symmetric-key
+// algorithms as our customer signing keys are currently all simple byte strings.  HMAC is
+// also the only symkey signature method that is required by the RFC7518 Section 3.1 and
+// thus should be supported by all JWT implementations.
+var allowedMethods = []string{
+	jwt.SigningMethodHS256.Name,
+	jwt.SigningMethodHS384.Name,
+	jwt.SigningMethodHS512.Name,
+}
+
+// Validator type represents a MessageBird signature validator.
+type Validator struct {
+	parser jwt.Parser
+	keyFn  jwt.Keyfunc
+
+	skipURLValidation bool
+}
+
+type ValidatorOption func(*Validator)
+
+// SkipURLValidation instructs Validator to not validate url_hash claim.
+// It is recommended to not skip URL validation to ensure high security.
+// but the ability to skip URL validation is necessary in some cases, e.g.
+// your service is behind proxy or when you want to validate it yourself.
+// Note that if enabled, no query parameters should be trusted.
+func SkipURLValidation() ValidatorOption {
+	return func(c *Validator) {
+		c.skipURLValidation = true
+	}
+}
+
+// NewValidator returns a signature validator object.
+// Signing key can be retrieved from
+// https://dashboard.messagebird.com/developers/settings.
+// Note that this is NOT your API key.
+func NewValidator(signingKey string, opts ...ValidatorOption) *Validator {
+	validator := &Validator{
+		parser: jwt.Parser{
+			ValidMethods: allowedMethods,
+		},
+		keyFn: func(*jwt.Token) (interface{}, error) { return []byte(signingKey), nil },
+	}
+
+	for _, opt := range opts {
+		opt(validator)
+	}
+
+	return validator
+}
+
+// ValidateSignature returns the signature token claims when the signature
+// is validated successfully. Otherwise, an error is returned.
+// The provided url is the raw url including the protocol, hostname and
+// query string, e.g. https://example.com/?example=42.
+func (v *Validator) ValidateSignature(signature, url string, payload []byte) (jwt.Claims, error) {
+	claims := Claims{
+		receivedTime:      TimeFunc(),
+		skipURLValidation: v.skipURLValidation,
+	}
+
+	if !v.skipURLValidation && url != "" {
+		claims.correctURLHash = sha256Hash([]byte(url))
+	}
+	if payload != nil && len(payload) != 0 {
+		claims.correctPayloadHash = sha256Hash(payload)
+	}
+
+	if token, err := v.parser.ParseWithClaims(signature, &claims, v.keyFn); err != nil {
+		return nil, fmt.Errorf("invalid jwt: %w", err)
+	} else {
+		return token.Claims, nil
+	}
+}
+
+// ValidateRequest is a method that takes care of the signature validation of
+// incoming requests.
+func (v *Validator) ValidateRequest(r *http.Request, baseURL string) error {
+	signature := r.Header.Get(signatureHeader)
+	if signature == "" {
+		return fmt.Errorf("signature not found")
+	}
+
+	var fullURL string
+	if !v.skipURLValidation && baseURL != "" {
+		base, err := url.Parse(baseURL)
+		if err != nil {
+			return fmt.Errorf("error parsing base url: %v", err)
+		}
+		fullURL = base.ResolveReference(r.URL).String()
+	}
+
+	b, _ := ioutil.ReadAll(r.Body)
+	if _, err := v.ValidateSignature(signature, fullURL, b); err != nil {
+		return fmt.Errorf("invalid signature: %s", err.Error())
+	}
+	r.Body = ioutil.NopCloser(bytes.NewBuffer(b))
+	return nil
+}
+
+// Validate is a handler wrapper that takes care of the signature validation of
+// incoming requests and rejects them if invalid or pass them on to your handler
+// otherwise.
+func (v *Validator) Validate(h http.Handler, baseURL string) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if err := v.ValidateRequest(r, baseURL); err != nil {
+			http.Error(w, "", http.StatusUnauthorized)
+			return
+		}
+		h.ServeHTTP(w, r)
+	})
+}
+
+func sha256Hash(data []byte) string {
+	h := sha256.Sum256(data)
+	return hex.EncodeToString(h[:])
+}
diff --git a/signature_jwt/signature_test.go b/signature_jwt/signature_test.go
diff --git a/signature_jwt/testdata/reference.json b/signature_jwt/testdata/reference.json
