Request verification using SHA1 and secret fails

[jakubgs]

I tried using this to handle webhook requests and I kept seeing 400 Bad Request responses:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>400 Bad Request</title>
<h1>Bad Request</h1>
<p>Invalid signature</p>

After a bit of investigation I found out that this fails because request.data is empty:

python-github-webhook/github_webhook/webhook.py

Lines 56 to 59 in 61e713c

	def _get_digest(self):
	"""Return message digest if a secret key was provided"""
	return hmac.new(self._secret, request.data, hashlib.sha1).hexdigest() if self._secret else None

And what should be used instead is request.get_data(), since it returns value regardless off payload format used:

Request.get_data(cache=True, as_text=False, parse_form_data=False)
This reads the buffered incoming data from the client into one bytestring. By default this is cached but that behavior can be changed by setting cache to False.
https://tedboy.github.io/flask/generated/generated/flask.Request.get_data.html

Not sure how this worked before...

[csik]

Thanks, @ jakubgs, this worked for me!