From: Florian Forster Date: Thu, 1 Feb 2018 07:07:28 +0000 (+0100) Subject: Package fitbit: Log signatures on failure. X-Git-Url: https://git.verplant.org/?a=commitdiff_plain;h=b0b4324f51ba7658e5e97b294ebd8ab7008d8f2a;p=kraftakt.git Package fitbit: Log signatures on failure. Also promote "signature mismatch" from warning to error. --- diff --git a/fitbit/fitbit.go b/fitbit/fitbit.go index 33f2ccd..9466b12 100644 --- a/fitbit/fitbit.go +++ b/fitbit/fitbit.go @@ -6,6 +6,7 @@ import ( "crypto/hmac" "crypto/sha1" "encoding/base64" + "encoding/hex" "encoding/json" "fmt" "io/ioutil" @@ -70,6 +71,12 @@ func CheckSignature(ctx context.Context, payload []byte, rawSig string) bool { mac.Write(payload) signatureWant := mac.Sum(nil) + if !hmac.Equal(signatureGot, signatureWant) { + log.Debugf(ctx, "CheckSignature(): got %q, want %q", + hex.EncodeToString(signatureGot), + hex.EncodeToString(signatureWant)) + } + return hmac.Equal(signatureGot, signatureWant) } diff --git a/kraftakt.go b/kraftakt.go index da10c62..d53a3a3 100644 --- a/kraftakt.go +++ b/kraftakt.go @@ -258,7 +258,7 @@ func fitbitNotifyHandler(ctx context.Context, w http.ResponseWriter, r *http.Req // Fitbit recommendation: "If signature verification fails, you should // respond with a 404" if !fitbit.CheckSignature(ctx, data, r.Header.Get("X-Fitbit-Signature")) { - log.Warningf(ctx, "signature mismatch") + log.Errorf(ctx, "signature mismatch") w.WriteHeader(http.StatusNotFound) return nil }