Setup AutoJoiner route & check GitHub secret

Author: m1guelpf

.env.example

@@ -37,6 +37,8 @@ GITHUB_ID=
 GITHUB_SECRET=
 GITHUB_CALLBACK=
 
+GITHUB_AUTOJOINER_SECRET=
+
 RECAPTCHA_PUBLIC_KEY=
 RECAPTCHA_PRIVATE_KEY=
 

app/Http/Controllers/AutoJoinerController.php

@@ -6,5 +6,19 @@
 
 class AutoJoinerController extends Controller
 {
-    //
+    public function index(Request $request)
+    {
+		abort_unless($this->requestSignatureIsValid(), 403);
+		
+		//
+	}
+	
+	protected function requestSignatureIsValid() : bool
+    {
+        $gitHubSignature = request()->header('X-Hub-Signature');
+        list($usedAlgorithm, $gitHubHash) = explode('=', $gitHubSignature, 2);
+        $payload = file_get_contents('php://input');
+        $calculatedHash = hash_hmac($usedAlgorithm, $payload, config('auth.github_secret'));
+        return $calculatedHash === $gitHubHash;
+    }
 }

app/Http/Middleware/VerifyCsrfToken.php

@@ -12,6 +12,6 @@ class VerifyCsrfToken extends BaseVerifier
      * @var array
      */
     protected $except = [
-        //
+        'autojoiner',
     ];
 }

config/auth.php

@@ -99,4 +99,17 @@
         ],
     ],
 
+    /*
+    |--------------------------------------------------------------------------
+    | GitHub Secret
+    |--------------------------------------------------------------------------
+    |
+    | You may specify a secret so we can check the data comes from GitHub 
+    | and prevent attacks.
+    |
+    */
+
+    'github_secret' => env('GITHUB_AUTOJOINER_SECRET'),
+
+
 ];

routes/web.php

@@ -36,3 +36,6 @@
 Route::get('login', 'LoginController@authorizeUser');
 Route::get('callback', 'LoginController@loginUser');
 Route::post('logout', 'LoginController@logoutUser');
+
+// Autojoiner
+Route::post('autojoiner', 'AutoJoinerController@index');