Adding request header X-Hub-Signature validation (fbsamples#4)

AnuiShark · adamgross42 · commit a59c4ba4969a · 2016-06-09T10:02:35.000-07:00
* added .gitignore and updated index.js to validate header X-Hub-Signature

* added .gitignore and updated index.js to validate header X-Hub-Signature

* - Updated sample to directly use process.env.APP_SECRET
- Updated Heroku read me with quick instructions on config vars
- Fixed a couple of if spacing nits
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,12 @@
+# Node build artifacts
+node_modules
+npm-debug.log
+
+# Local development
+*.env
+*.dev
+.DS_Store
+
+# Docker
+Dockerfile
+docker-compose.yml
diff --git a/heroku/README.md b/heroku/README.md
@@ -7,7 +7,7 @@ This is a sample client for [Facebook's Graph API Webhooks](https://developers.f
 ### Heroku
 1. Deploy with this button: [![Deploy](https://www.herokucdn.com/deploy/button.svg)](https://heroku.com/deploy?template=https://github.com/fbsamples/graph-api-webhooks-samples)
 1. Test your deployment with `curl https://<your-subdomain>.herokuapp.com` - you should see "It works!".
-
+1. For handling webhook post request validation, ensure your Heroku app has an `APP_SECRET` config var that you can obtain from your Facebook app settings.
 
 ### Facebook
 1. Create a new [Facebook application](https://developers.facebook.com/apps).
diff --git a/heroku/index.js b/heroku/index.js
@@ -9,11 +9,13 @@
 var bodyParser = require('body-parser');
 var express = require('express');
 var app = express();
+var xhub = require('express-x-hub');
 
 app.set('port', (process.env.PORT || 5000));
 app.listen(app.get('port'));
 
 app.use(bodyParser.json());
+app.use(xhub({ algorithm: 'sha1', secret: process.env.APP_SECRET }));
 
 app.get('/', function(req, res) {
   console.log(req);
@@ -33,7 +35,22 @@ app.get(['/facebook', '/instagram'], function(req, res) {
 
 app.post('/facebook', function(req, res) {
   console.log('Facebook request body:');
+
+  if (req.isXHub) {
+    console.log('request header X-Hub-Signature found, validating');
+    if (req.isXHubValid()) {
+      console.log('request header X-Hub-Signature validated');
+      res.send('Verified!\n');
+    }
+  }
+  else {
+    console.log('Warning - request header X-Hub-Signature not present or invalid');
+    res.send('Failed to verify!\n');
+    // recommend sending 401 status in production for non-validated signatures
+    // res.sendStatus(401);
+  }
   console.log(req.body);
+
   // Process the Facebook updates here
   res.sendStatus(200);
 });
diff --git a/package.json b/package.json
@@ -8,7 +8,8 @@
   },
   "dependencies": {
     "body-parser": "~1.15.0",
-    "express": "~4.13.3"
+    "express": "~4.13.3",
+    "express-x-hub": "^1.0.4"
   },
   "engines": {
     "node": "0.12.7"
