Merge branch 'gmacon-verifyWebhookSignature'

2024-11-22 20:46:03 +03:00 · 2014-11-19 14:29:50 -08:00 · 2014-11-19 14:29:50 -08:00 · f4c6fd012b
commit f4c6fd012b
parent 529e392386 b28a742efb
2 changed files with 90 additions and 46 deletions
--- a/src/Mailgun/Mailgun.php
+++ b/src/Mailgun/Mailgun.php
@ -17,22 +17,21 @@ use Mailgun\Messages\MessageBuilder;
 */

 class Mailgun{
-
    protected $workingDomain;
    protected $restClient;
+    protected $apiKey;
    
    public function __construct($apiKey = null, $apiEndpoint = "api.mailgun.net", $apiVersion = "v2", $ssl = true){
+        $this->apiKey = $apiKey;
        $this->restClient = new RestClient($apiKey, $apiEndpoint, $apiVersion, $ssl);
    }

    public function sendMessage($workingDomain, $postData, $postFiles = array()){
-
        /*
-       This function allows the sending of a fully formed message OR a custom
-	   MIME string. If sending MIME, the string must be passed in to the 3rd
-	   position of the function call.
+         *  This function allows the sending of a fully formed message OR a custom
+         *  MIME string. If sending MIME, the string must be passed in to the 3rd
+         *  position of the function call.
        */
-
        if(is_array($postFiles)){
            return $this->post("$workingDomain/messages", $postData, $postFiles);
        }
@ -52,6 +51,31 @@ class Mailgun{
        }
    }
    
+    public function verifyWebhookSignature($postData = NULL) {
+        /*
+         * This function checks the signature in a POST request to see if it is
+         * authentic.
+         *
+         * Pass an array of parameters.  If you pass nothing, $_POST will be
+         * used instead.
+         *
+         * If this function returns FALSE, you must not process the request.
+         * You should reject the request with status code 403 Forbidden.
+        */
+        if(is_null($postData)) {
+            $postData = $_POST;
+        }
+        $hmac = hash_hmac('sha256', "{$postData["timestamp"]}{$postData["token"]}", $this->apiKey);
+        $sig = $postData['signature'];
+        if(function_exists('hash_equals')) {
+            // hash_equals is constant time, but will not be introduced until PHP 5.6
+            return hash_equals($hmac, $sig);
+        }
+        else {
+            return ($hmac == $sig);
+        }
+    }
+
    public function post($endpointUrl, $postData = array(), $files = array()){
        return $this->restClient->post($endpointUrl, $postData, $files);
    }
--- a/tests/Mailgun/Tests/MailgunTest.php
+++ b/tests/Mailgun/Tests/MailgunTest.php
@ -13,4 +13,24 @@ class MailgunTest extends \Mailgun\Tests\MailgunTestCase
        $client = new Mailgun();
        $client->sendMessage("test.mailgun.com", "etss", 1);
    }
+
+    public function testVerifyWebhookGood() {
+        $client = new Mailgun('key-3ax6xnjp29jd6fds4gc373sgvjxteol0');
+        $postData = [
+            'timestamp' => '1403645220',
+            'token' => '5egbgr1vjgqxtrnp65xfznchgdccwh5d6i09vijqi3whgowmn6',
+            'signature' => '9cfc5c41582e51246e73c88d34db3af0a3a2692a76fbab81492842f000256d33',
+        ];
+        assert($client->verifyWebhookSignature($postData));
+    }
+
+    public function testVerifyWebhookBad() {
+        $client = new Mailgun('key-3ax6xnjp29jd6fds4gc373sgvjxteol0');
+        $postData = [
+            'timestamp' => '1403645220',
+            'token' => 'owyldpe6nxhmrn78epljl6bj0orrki1u3d2v5e6cnlmmuox8jr',
+            'signature' => '9cfc5c41582e51246e73c88d34db3af0a3a2692a76fbab81492842f000256d33',
+        ];
+        assert(!$client->verifyWebhookSignature($postData));
+    }
 }