Discord security

Author: dyakovri

.github/workflows/build_and_publish.yml

@@ -56,7 +56,7 @@ jobs:
     runs-on: [self-hosted, Linux]
     environment:
       name: Testing
-      url: https://api.test.profcomff.com/social
+      url: https://api.test.profcomff.com/?urls.primaryName=social
     env:
       CONTAINER_NAME: com_profcomff_api_social_test
     permissions:
@@ -98,7 +98,7 @@ jobs:
     runs-on: [self-hosted, Linux]
     environment:
       name: Production
-      url: https://api.profcomff.com/social
+      url: https://api.profcomff.com/?urls.primaryName=social
     env:
       CONTAINER_NAME: com_profcomff_api_social
     permissions:
@@ -131,6 +131,7 @@ jobs:
             --env TELEGRAM_BOT_TOKEN='${{ secrets.TELEGRAM_BOT_TOKEN }}' \
             --env GITHUB_APP_ID='${{ secrets.GH_APP_ID }}' \
             --env GITHUB_PRIVATE_KEY='${{ secrets.GH_PRIVATE_KEY }}' \
+            --env DISCORD_PUBLIC_KEY='${{ secrets.DISCORD_PUBLIC_KEY }}' \
             --env GUNICORN_CMD_ARGS='--log-config logging_prod.conf' \
             --name ${{ env.CONTAINER_NAME }} \
             ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest

requirements.txt

@@ -12,3 +12,4 @@ auth-lib-profcomff[fastapi]
 python-telegram-bot
 jwt
 gql[requests]
+pynacl

social/routes/discord.py

@@ -1,8 +1,10 @@
 import logging
 
-from fastapi import APIRouter, BackgroundTasks, Request
+from fastapi import APIRouter, BackgroundTasks, Request, HTTPException
 from fastapi.responses import JSONResponse
 from fastapi_sqlalchemy import db
+from nacl.signing import VerifyKey
+from nacl.exceptions import BadSignatureError
 
 from social.handlers_discord.base import process_event
 from social.models.webhook_storage import WebhookStorage, WebhookSystems
@@ -12,14 +14,24 @@
 router = APIRouter(prefix="/discord", tags=["webhooks"])
 settings = get_settings()
 logger = logging.getLogger(__name__)
+verify_key = VerifyKey(bytes.fromhex(settings.DISCORD_PUBLIC_KEY))
 
 
 @router.post('')
 async def discord_webhook(request: Request, background_tasks: BackgroundTasks):
     """Принимает любой POST запрос от discord"""
-    request_data = await request.json()
+    request_data: dict[str] = await request.json()
     logger.debug(request_data)
 
+    signature = request.headers.get("X-Signature-Ed25519", "")
+    timestamp = request.headers.get("X-Signature-Timestamp", "")
+    body = (await request.body()).decode("utf-8")
+
+    try:
+        verify_key.verify(f'{timestamp}{body}'.encode(), bytes.fromhex(signature))
+    except BadSignatureError:
+        raise HTTPException(401, 'invalid request signature')
+
     db.session.add(
         WebhookStorage(
             system=WebhookSystems.DISCORD,

social/settings.py

@@ -24,6 +24,8 @@ class Settings(BaseSettings):
     GITHUB_WEBHOOK_SECRET: str | None = None
     GITHUB_PRIVATE_KEY: str | None = None
 
+    DISCORD_PUBLIC_KEY: str | None = None
+
 
 @lru_cache
 def get_settings() -> Settings: