Skip to content

Commit e1a469a

Browse files
danieltottdanieltott
committed
re-add authorization header check
1 parent 272d1ef commit e1a469a

File tree

1 file changed

+31
-18
lines changed
  • functions/zoom-meeting-webhook-handler

1 file changed

+31
-18
lines changed

functions/zoom-meeting-webhook-handler/index.js

Lines changed: 31 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -15,31 +15,44 @@ const ZOOM_SECRET =
1515
process.env.TEST_ZOOM_WEBHOOK_SECRET_TOKEN ||
1616
process.env.ZOOM_WEBHOOK_SECRET_TOKEN;
1717

18+
const ZOOM_AUTH =
19+
process.env.TEST_ZOOM_WEBHOOK_AUTH || process.env.ZOOM_WEBHOOK_AUTH;
20+
1821
const handler = async function (event, context) {
1922
try {
20-
const message = `v0:${event.headers['x-zm-request-timestamp']}:${event.body}`;
23+
/**
24+
* verification. zoom will either send an authorization header or a x-zm-signature header
25+
*/
2126

22-
const hashForVerify = crypto
23-
.createHmac('sha256', ZOOM_SECRET)
24-
.update(message)
25-
.digest('hex');
27+
let authorized = false;
2628

27-
const signature = `v0=${hashForVerify}`;
29+
if (event.headers['x-zm-signature']) {
30+
const message = `v0:${event.headers['x-zm-request-timestamp']}:${event.body}`;
2831

29-
console.log('headers');
30-
console.log(event.headers);
31-
console.log(
32-
event.headers.get ? event.headers.get('x-zm-signature') : 'no headers.get'
33-
);
32+
const hashForVerify = crypto
33+
.createHmac('sha256', ZOOM_SECRET)
34+
.update(message)
35+
.digest('hex');
36+
37+
const signature = `v0=${hashForVerify}`;
3438

35-
console.log('message');
36-
console.log(message);
37-
console.log('signature');
38-
console.log(signature);
39-
console.log('x-zm-signature');
40-
console.log(event.headers['x-zm-signature']);
39+
console.log('message');
40+
console.log(message);
41+
console.log('signature');
42+
console.log(signature);
43+
console.log('x-zm-signature');
44+
console.log(event.headers['x-zm-signature']);
45+
46+
if (event.headers['x-zm-signature'] === signature) {
47+
authorized = true;
48+
}
49+
} else {
50+
if (event.headers.authorization === ZOOM_AUTH) {
51+
authorized = true;
52+
}
53+
}
4154

42-
if (event.headers['x-zm-signature'] !== signature) {
55+
if (!authorized) {
4356
console.log('Unauthorized', event);
4457
return {
4558
statusCode: 401,

0 commit comments

Comments
 (0)