Merge pull request #14 from own3d/oauth-webhook

Oauth Update validation

Author: StefanEnsmann

config/own3d-id.php

@@ -8,4 +8,5 @@
     'token_type' => env('OWN3D_ID_TOKEN_TYPE', 'Bearer'),
     'model' => env('OWN3D_ID_MODEL', \App\Models\User::class),
     'model_key' => env('OWN3D_ID_MODEL_KEY', 'own3d_id'),
+    'webhook_age_tolerance' => intval(env('OWN3D_ID_WEBHOOK_AGE_TOLERANCE', 300)),
 ];

src/Enums/Platform.php

@@ -6,6 +6,7 @@
  * Supported oauth providers.
  *
  * @author René Preuß <[email protected]>
+ * @author Stefan Ensmann <[email protected]>
  */
 class Platform
 {
@@ -17,4 +18,32 @@ class Platform
 
     public const SLACK = 'slack';
 
-}
+    public const YOUTUBE = 'youtube';
+
+    public const FACEBOOK = 'facebook';
+
+    public const INSTAGRAM = 'instagram';
+
+    public const KICK = 'kick';
+
+    public const TIKTOK = 'tiktok';
+
+    public const TROVO = 'trovo';
+
+    public const TWITTER = 'twitter';
+
+    /**
+     * Returns an array with all supported platforms.
+     * 
+     * @return string[]
+     */
+    public static function supported() {
+        return [
+            self::TWITCH,
+            self::DISCORD,
+            self::GOOGLE,
+            self::SLACK,
+            self::YOUTUBE,
+        ];
+    }
+}

src/Http/Middleware/UpdateWebhookValidation.php

@@ -0,0 +1,42 @@
+<?php
+
+namespace Own3d\Id\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Http\Response;
+
+/**
+ * @author Stefan Ensmann <[email protected]>
+ */
+class UpdateWebhookValidation extends WebhookValidation
+{
+    private const SUPPORTED_TYPES = [
+        'account_migration',
+        'platform_authorization_revoked',
+        'account_authorization_revoked',
+        'platform_linked',
+        'personal_information_updated',
+        'preferences_updated',
+    ];
+
+    /**
+     * Handle the incoming request.
+     *
+     * @param Request $request
+     * @param Closure $next
+     * 
+     * @return Response
+     */
+    public function handle($request, $next)
+    {
+        if (!in_array($request->input('type', ''), self::SUPPORTED_TYPES)) {
+            return response()
+                ->json([
+                    'error' => 'Invalid update type',
+                ], 400);
+        }
+
+        return parent::handle($request, $next);
+    }
+}

src/Http/Middleware/WebhookValidation.php

@@ -0,0 +1,72 @@
+<?php
+
+namespace Own3d\Id\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Http\Response;
+
+/**
+ * @author Stefan Ensmann <[email protected]>
+ */
+class WebhookValidation
+{
+    /**
+     * Handle the incoming request.
+     *
+     * @param Request $request
+     * @param Closure $next
+     * 
+     * @return Response
+     */
+    public function handle($request, $next)
+    {
+        $xSignature = $request->header('X-Signature', '');
+        $xTimestamp = intval($request->header('X-Timestamp', 0));
+
+        $input = $request->input();
+
+        if (!$this->isValidTimestamp($xTimestamp)) {
+            return response()
+                ->json([
+                    'error' => 'Request expired',
+                ], 400);
+        }
+
+        if (!$this->isValidSignature($input, $xTimestamp, $xSignature)) {
+            return response()
+                ->json([
+                    'error' => 'Invalid signature',
+                ], 400);
+        }
+
+        return $next($request);
+    }
+
+    /**
+     * Validates the timestamp of the incoming request.
+     * 
+     * @param int $timestamp
+     * @param int $tolerance
+     * 
+     * @return bool
+     */
+    private function isValidTimestamp($timestamp) {
+        return abs(time() - $timestamp) <= config('own3d-id.webhook_age_tolerance');
+    }
+
+    /**
+     * Validates the signature of the incoming request.
+     * 
+     * @param array $payload
+     * @param int $timestamp
+     * @param string $receivedSignature
+     * 
+     * @return bool
+     */
+    private function isValidSignature($payload, $timestamp, $receivedSignature) {
+        $data = $timestamp . json_encode($payload);
+        $calculatedSignature = hash_hmac('sha256', $data, config('own3d-id.client_secret'));
+        return hash_equals($calculatedSignature, $receivedSignature);
+    }
+}