fix: require pylon webhook secret validation (#22)

Author: axonasif

BotConfig_tmpl.toml

@@ -81,3 +81,5 @@ api_key = "{{.STRIPE_API_KEY}}"
 
 [pylon]
 bearer_token = "{{.PYLON_BEARER_TOKEN}}"
+webhook_secret = "{{.PYLON_WEBHOOK_SECRET}}"
+

glu/__main__.py

@@ -6,7 +6,9 @@
 from cachetools import LRUCache
 from gidgethub import aiohttp as gh_aiohttp, routing, sansio
 from gidgethub.apps import get_installation_access_token, get_jwt
-from glu import pylon, zendesk
+from glu import pylon
+
+# from glu import zendesk
 import glu.events as event
 from glu.config_loader import config
 from glu import runtime_constants
@@ -65,7 +67,7 @@ async def main():
     # await zendesk.init()
     app = web.Application()
     app.router.add_post("/", github_payloads)
-    app.router.add_post("/zendesk", zendesk.webhook_handler)
+    # app.router.add_post("/zendesk", zendesk.webhook_handler)
     app.router.add_post("/pylon", pylon.webhook)
     app.router.add_get("/pylon/sidebar", pylon.sidebar)
     port = int(config["server"].get("port", 8000))
@@ -75,10 +77,20 @@ async def main():
     await runner.setup()
     site = web.TCPSite(runner, host, port)
 
-    await asyncio.gather(
-        twitter_run(),
-        site.start(),
-    )
+    await site.start()
+
+    try:
+        print(f"Server started at http://{host}:{port}")
+        await asyncio.Event().wait()  # Keep the server running indefinitely
+    except KeyboardInterrupt:
+        print("Shutting down the server...")
+    finally:
+        await runner.cleanup()
+
+    # await asyncio.gather(
+    #     twitter_run(),
+    #     site.start(),
+    # )
 
 
 if __name__ == "__main__":

glu/pylon.py

@@ -115,8 +115,16 @@ async def fetch_data_from_mysql(requester_email: str):
     return rows
 
 
+async def verify_secret(request: web.Request) -> bool:
+    secret_header = request.headers.get("secret", "")
+    return config["pylon"]["webhook_secret"] == secret_header
+
+
 async def sidebar(request: web.Request):
     try:
+        if not await verify_secret(request):
+            return web.json_response(status=400)
+
         if request.query.get("request_type") == "verify":
             print(f"Verification request received: {request.query['code']}")
             return web.json_response({"code": request.query["code"]}, status=200)
@@ -350,6 +358,9 @@ def update_ticket(
 
 async def webhook(request: web.Request):
     try:
+        if not await verify_secret(request):
+            return web.json_response(status=400)
+
         data = await request.json()
         issue_id = data["issue_id"]
         requester_email = data["requester_email"]