fix validation function

Dan Hertz · Dan Hertz · commit e59fed9f0be7 · 2021-11-22T14:05:52.000-08:00
diff --git a/dev-requirements.txt b/dev-requirements.txt
@@ -12,4 +12,5 @@ flake8
 autopep8
 pytest
 pytest-cov
-requests
+requests
+freezegun
diff --git a/nightfall/api.py b/nightfall/api.py
@@ -233,15 +233,16 @@ def validate_webhook(self, request_signature: str, request_timestamp: str, reque
         """
 
         now = datetime.now()
-        if now-timedelta(minutes=5) <= datetime.fromtimestamp(int(request_timestamp)) <= now:
-            raise NightfallUserError("could not validate timestamp is within the last few minutes", 40000)
+        request_datetime = datetime.fromtimestamp(int(request_timestamp))
+        if request_datetime < now-timedelta(minutes=5) or request_datetime > now:
+            return False
         computed_signature = hmac.new(
             self.signing_secret.encode(),
             msg=F"{request_timestamp}:{request_data}".encode(),
             digestmod=hashlib.sha256
         ).hexdigest().lower()
         if computed_signature != request_signature:
-            raise NightfallUserError("could not validate signature of inbound request!", 40000)
+            return False
         return True
 
 
diff --git a/tests/test_api.py b/tests/test_api.py
@@ -1,4 +1,8 @@
+import datetime
 import os
+import time
+
+from freezegun import freeze_time
 import pytest
 
 from nightfall.api import Nightfall
@@ -47,6 +51,33 @@ def test_scan_text_detection_rules_v3(nightfall):
     assert redactions[0] == "491👀-👀👀👀👀-👀👀👀👀-👀👀👀👀 is my credit card number"
 
 
+@freeze_time("2021-10-04T17:30:50Z")
+def test_validate_webhook(nightfall):
+    nightfall.signing_secret = "super-secret-shhhh"
+    timestamp = 1633368645
+    body = "hello world foo bar goodnight moon"
+    expected = "1bb7619a9504474ffc14086d0423ad15db42606d3ca52afccb4a5b2125d7b703"
+    assert nightfall.validate_webhook(expected, timestamp, body)
+
+
+@freeze_time("2021-10-04T19:30:50Z")
+def test_validate_webhook_too_old(nightfall):
+    nightfall.signing_secret = "super-secret-shhhh"
+    timestamp = 1633368645
+    body = "hello world foo bar goodnight moon"
+    expected = "1bb7619a9504474ffc14086d0423ad15db42606d3ca52afccb4a5b2125d7b703"
+    assert not nightfall.validate_webhook(expected, timestamp, body)
+
+
+@freeze_time("2021-10-04T17:30:50Z")
+def test_validate_webhook_incorrect_sig(nightfall):
+    nightfall.signing_secret = "super-secret-shhhh"
+    timestamp = 1633368645
+    body = "hello world foo bar goodnight moon"
+    expected = "not matching"
+    assert not nightfall.validate_webhook(expected, timestamp, body)
+
+
 @pytest.mark.filetest
 def test_scan_file_detection_rules(nightfall):
     file = "file.txt"
