Add nonce to pubsub token

This commit is contained in:
Omar Roth 2019-03-04 07:53:31 -06:00
parent 5895604282
commit 004fb96b2f
2 changed files with 13 additions and 5 deletions

View file

@ -92,7 +92,7 @@ PUBSUB_URL = URI.parse("https://pubsubhubbub.appspot.com")
TEXTCAPTCHA_URL = URI.parse("http://textcaptcha.com/omarroth@hotmail.com.json") TEXTCAPTCHA_URL = URI.parse("http://textcaptcha.com/omarroth@hotmail.com.json")
CURRENT_COMMIT = `git rev-list HEAD --max-count=1 --abbrev-commit`.strip CURRENT_COMMIT = `git rev-list HEAD --max-count=1 --abbrev-commit`.strip
CURRENT_VERSION = `git describe --tags $(git rev-list --tags --max-count=1)`.strip CURRENT_VERSION = `git describe --tags $(git rev-list --tags --max-count=1)`.strip
CURRENT_BRANCH = `git status | head -1`.strip CURRENT_BRANCH = `git status | head -1`.strip
LOCALES = { LOCALES = {
"ar" => load_locale("ar"), "ar" => load_locale("ar"),
@ -136,7 +136,7 @@ if config.statistics_enabled
"software" => { "software" => {
"name" => "invidious", "name" => "invidious",
"version" => "#{CURRENT_VERSION}-#{CURRENT_COMMIT}", "version" => "#{CURRENT_VERSION}-#{CURRENT_COMMIT}",
"branch" => "#{CURRENT_BRANCH}", "branch" => "#{CURRENT_BRANCH}",
}, },
"openRegistrations" => config.registration_enabled, "openRegistrations" => config.registration_enabled,
"usage" => { "usage" => {
@ -2329,13 +2329,19 @@ get "/feed/webhook/:token" do |env|
challenge = env.params.query["hub.challenge"] challenge = env.params.query["hub.challenge"]
lease_seconds = env.params.query["hub.lease_seconds"] lease_seconds = env.params.query["hub.lease_seconds"]
time, signature = verify_token.split(":") if verify_token.starts_with? "v1"
_, time, nonce, signature = verify_token.split(":")
data = "#{time}:#{nonce}"
else
time, signature = verify_token.split(":")
data = "#{time}"
end
if Time.now.to_unix - time.to_i > 600 if Time.now.to_unix - time.to_i > 600
halt env, status_code: 400 halt env, status_code: 400
end end
if OpenSSL::HMAC.hexdigest(:sha1, HMAC_KEY, time) != signature if OpenSSL::HMAC.hexdigest(:sha1, HMAC_KEY, data) != signature
halt env, status_code: 400 halt env, status_code: 400
end end

View file

@ -194,11 +194,13 @@ end
def subscribe_pubsub(ucid, key, config) def subscribe_pubsub(ucid, key, config)
client = make_client(PUBSUB_URL) client = make_client(PUBSUB_URL)
time = Time.now.to_unix.to_s time = Time.now.to_unix.to_s
nonce = Random::Secure.hex(4)
signature = "#{time}:#{nonce}"
host_url = make_host_url(Kemal.config.ssl || config.https_only, config.domain) host_url = make_host_url(Kemal.config.ssl || config.https_only, config.domain)
body = { body = {
"hub.callback" => "#{host_url}/feed/webhook/#{time}:#{OpenSSL::HMAC.hexdigest(:sha1, key, time)}", "hub.callback" => "#{host_url}/feed/webhook/v1:#{time}:#{nonce}:#{OpenSSL::HMAC.hexdigest(:sha1, key, signature)}",
"hub.topic" => "https://www.youtube.com/feeds/videos.xml?channel_id=#{ucid}", "hub.topic" => "https://www.youtube.com/feeds/videos.xml?channel_id=#{ucid}",
"hub.verify" => "async", "hub.verify" => "async",
"hub.mode" => "subscribe", "hub.mode" => "subscribe",