From b5035101b09a38c1f5978ed917e72c73e2d6e389 Mon Sep 17 00:00:00 2001
From: osaajani <>
Date: Sat, 30 Jan 2021 11:12:30 +0100
Subject: [PATCH 1/3] update webhook to add signature

---
 controllers/internals/Webhook.php | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/controllers/internals/Webhook.php b/controllers/internals/Webhook.php
index 1ca4725..81bfa3d 100644
--- a/controllers/internals/Webhook.php
+++ b/controllers/internals/Webhook.php
@@ -13,6 +13,8 @@ namespace controllers\internals;
 
 class Webhook extends StandardController
 {
+    const HMAC_ALGO = 'sha256';
+
     protected $bdd;
     protected $model;
 
@@ -105,6 +107,7 @@ class Webhook extends StandardController
     public function trigger(int $id_user, string $type, array $sms)
     {
         $internal_setting = new Setting($this->bdd);
+        $internal_user = new User($this->bdd);
         $settings = $internal_setting->gets_for_user($id_user);
 
         if (!$settings['webhook'] ?? false)
@@ -112,13 +115,22 @@ class Webhook extends StandardController
             return false;
         }
 
+        $user = $internal_user->get($id_user);
+        if (!$user)
+        {
+            return false;
+        }
+
         $webhooks = $this->gets_for_type_and_user($id_user, $type);
         foreach ($webhooks as $webhook)
         {
+            $timestamp = time();
             $message = [
                 'url' => $webhook['url'],
                 'data' => [
+                    'webhook_timestamp' => $timestamp,
                     'webhook_type' => $webhook['type'],
+                    'webhook_random_id' => $timestamp . '-' . bin2hex(openssl_random_pseudo_bytes(8))
                     'id' => $sms['id'],
                     'at' => $sms['at'],
                     'text' => $sms['text'],
@@ -127,6 +139,10 @@ class Webhook extends StandardController
                 ],
             ];
 
+            //signature is hexa string representing hmac sha256 of user_api_key::webhook_timestamp::webhook_random_id
+            $signature_clear = $user['api_key'] . '.' . $message['data']['webhook_timestamp'] . '.' . $message['data']['webhook_random_id'];
+            $message['data']['webhook_signature'] = hash_hmac(self::HMAC_ALGO, $signature_clear, $user['api_key']);
+
             $error_code = null;
             $queue = msg_get_queue(QUEUE_ID_WEBHOOK);
             $success = msg_send($queue, QUEUE_TYPE_WEBHOOK, $message, true, true, $error_code);

From 1c0ffc246a5c046cd3a4123aa904b56579de2e29 Mon Sep 17 00:00:00 2001
From: osaajani <>
Date: Sat, 30 Jan 2021 11:16:15 +0100
Subject: [PATCH 2/3] fix missing ,

---
 controllers/internals/Webhook.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controllers/internals/Webhook.php b/controllers/internals/Webhook.php
index 81bfa3d..5c40fce 100644
--- a/controllers/internals/Webhook.php
+++ b/controllers/internals/Webhook.php
@@ -130,7 +130,7 @@ class Webhook extends StandardController
                 'data' => [
                     'webhook_timestamp' => $timestamp,
                     'webhook_type' => $webhook['type'],
-                    'webhook_random_id' => $timestamp . '-' . bin2hex(openssl_random_pseudo_bytes(8))
+                    'webhook_random_id' => $timestamp . '-' . bin2hex(openssl_random_pseudo_bytes(8)),
                     'id' => $sms['id'],
                     'at' => $sms['at'],
                     'text' => $sms['text'],

From 8843df9f4632db69a339ab611d17385dbadb7499 Mon Sep 17 00:00:00 2001
From: osaajani <>
Date: Sat, 30 Jan 2021 11:24:14 +0100
Subject: [PATCH 3/3] simplify webhook signature

---
 controllers/internals/Webhook.php | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/controllers/internals/Webhook.php b/controllers/internals/Webhook.php
index 5c40fce..6f2c59b 100644
--- a/controllers/internals/Webhook.php
+++ b/controllers/internals/Webhook.php
@@ -125,12 +125,18 @@ class Webhook extends StandardController
         foreach ($webhooks as $webhook)
         {
             $timestamp = time();
+            $webhook_random_id = $timestamp . '-' . bin2hex(openssl_random_pseudo_bytes(16));
+            
+            //signature is hexa string representing hmac sha256 of webhook_random_id
+            $webhook_signature = hash_hmac(self::HMAC_ALGO, $webhook_random_id, $user['api_key']);
+            
             $message = [
                 'url' => $webhook['url'],
                 'data' => [
                     'webhook_timestamp' => $timestamp,
                     'webhook_type' => $webhook['type'],
-                    'webhook_random_id' => $timestamp . '-' . bin2hex(openssl_random_pseudo_bytes(8)),
+                    'webhook_random_id' => $webhook_random_id,
+                    'webhook_signature' => $webhook_signature,
                     'id' => $sms['id'],
                     'at' => $sms['at'],
                     'text' => $sms['text'],
@@ -139,10 +145,6 @@ class Webhook extends StandardController
                 ],
             ];
 
-            //signature is hexa string representing hmac sha256 of user_api_key::webhook_timestamp::webhook_random_id
-            $signature_clear = $user['api_key'] . '.' . $message['data']['webhook_timestamp'] . '.' . $message['data']['webhook_random_id'];
-            $message['data']['webhook_signature'] = hash_hmac(self::HMAC_ALGO, $signature_clear, $user['api_key']);
-
             $error_code = null;
             $queue = msg_get_queue(QUEUE_ID_WEBHOOK);
             $success = msg_send($queue, QUEUE_TYPE_WEBHOOK, $message, true, true, $error_code);