From 07046c1fdde5e5a568b3d51f9ed00112d48baffd Mon Sep 17 00:00:00 2001
From: Marcel Pociot <m.pociot@gmail.com>
Date: Thu, 22 Nov 2018 18:13:43 +0100
Subject: [PATCH] wip

---
 .../Http/Controllers/EventController.php      | 32 ++++++++++++-------
 1 file changed, 21 insertions(+), 11 deletions(-)

diff --git a/src/LaravelEcho/Http/Controllers/EventController.php b/src/LaravelEcho/Http/Controllers/EventController.php
index 4b1c5e7..dc187c8 100644
--- a/src/LaravelEcho/Http/Controllers/EventController.php
+++ b/src/LaravelEcho/Http/Controllers/EventController.php
@@ -3,6 +3,7 @@
 namespace BeyondCode\LaravelWebSockets\LaravelEcho\Http\Controllers;
 
 use BeyondCode\LaravelWebSockets\LaravelEcho\Pusher\Channels\ChannelManager;
+use BeyondCode\LaravelWebSockets\LaravelEcho\Pusher\Exceptions\InvalidSignatureException;
 use Illuminate\Http\Request;
 
 class EventController extends EchoController
@@ -17,17 +18,8 @@ class EventController extends EchoController
 
     public function __invoke(Request $request)
     {
-       //TODO: verify the incoming request
-        /*
-         * array:6 [
-  "appId" => "test"
-  "auth_key" => ""
-  "auth_signature" => "51e7ab9c1411aacf9a4c28001ffc3e7f5fe71db130ce08ac071ab49d737bcf52"
-  "auth_timestamp" => "1542833998"
-  "auth_version" => "1.0"
-  "body_md5" => "816e28da10f4aedf0821865eddf55e7f"
-]
-         */
+        $this->verifySignature($request);
+
         foreach ($request->json()->get('channels', []) as $channelId) {
             $channel = $this->channelManager->find($request->appId, $channelId);
 
@@ -40,4 +32,22 @@ class EventController extends EchoController
 
         return $request->json()->all();
     }
+
+    protected function verifySignature(Request $request)
+    {
+        $bodyMd5 = md5($request->getContent());
+
+        $signature =
+            "POST\n/apps/{$request->get('appId')}/events\n".
+            "auth_key={$request->get('auth_key')}".
+            "&auth_timestamp={$request->get('auth_timestamp')}".
+            "&auth_version={$request->get('auth_version')}".
+            "&body_md5={$bodyMd5}";
+
+        $authSignature = hash_hmac('sha256', $signature, config('broadcasting.connections.pusher.secret'));
+
+        if ($authSignature !== $request->get('auth_signature')) {
+            throw new InvalidSignatureException();
+        }
+    }
 }
\ No newline at end of file