Clojurians Log v2

Clojure programming

Channels

# 100-days-of-code # aatree # admin-announcements # adventofcode # ai # alda # aleph # all-the-channels # announcements # arachne # architecture # asami # atlanta-clojurians # atom-editor # autochrome-github # avi # aws # aws-lambda # babashka # babashka-sci-dev # bangalore-clj # beginners # berlin # biff # bigdata # bitcoin # boot # boot-dev # boulder-clojurians # braid-chat # braveandtrue # brevis # bristol-clojurians # business # calva # capetown # carry # cbus # cestmeetup # chestnut # chlorine-clover # cider # circleci # clara # clj-commons # cljdoc # cljfx # clj-http # clj-kondo # clj-on-windows # cljs-dev # cljs-experience # cljsfiddle # cljsjs # cljsrn # cljtogether # clojars # clojure # clojure-android # clojure-argentina # clojure-art # clojure-austin # clojure-australia # clojure-austria # clojure-bangladesh # clojure-bay-area # clojure-beijing # clojure-belgium # clojure-berlin # clojure-boston # clojure-brasil # clojurebridge # clojurebridge-ams # clojure-canada # clojure-chennai # clojure-chicago # clojure-china # clojure-colombia # clojure-conj # clojurecup # clojure-czech # clojured # clojure-denmark # clojure-denver # clojure-derby # clojuredesign-podcast # clojure-dev # clojure-dusseldorf # clojure-ecuador # clojure-egypt # clojure-estonia # clojure-europe # clojure-filipino # clojure-finland # clojure-france # clojure-gamedev # clojure-germany # clojure-greece # clojure-guangzhou # clojure-hamburg # clojure-hk # clojure-houston # clojure-hungary # clojure-india # clojureindia # clojure-indonesia # clojure-ireland # clojure-israel # clojure-italy # clojure-japan # clojure-kc # clojure-korea # clojure-losangeles # clojure-madison # clojure-mexico # clojure-miami # clojure-mk # clojure-mke # clojure-morsels # clojure-my # clojure-new-zealand # clojure-nl # clojure-nlp # clojure-norway # clojure-poland # clojure-portugal # clojure-provo # clojure-quebec # clojureremote # clojure-romania # clojure-russia # clojure-sanfrancisco # clojurescript # clojurescript-ios # clojure-sdn # clojure-seattle # clojure-serbia # clojure-sg # clojure-shanghai # clojure-spain # clojure-spec # clojuresque # clojure-survey # clojure-sweden # clojure-switzerland # clojure-taiwan # clojure-turkiye # clojure-uk # clojure-ukraine # clojureverse-ops # clojurewerkz # clojurewest # clojurex # clojure-za # clojurian-chat-app # clojutre # cloverage # cloxp # clr # code-art # code-reviews # community-development # component # conf-proposals # conjure # consulting # contributions-welcome # copenhagen-clojurians # core-async # core-logic # core-matrix # core-typed # cryogen # crypto # css # cursive # cz-clojure # d2q # datacrypt # datahike # datalevin # datalog # data-oriented-programming # data-science # datascript # datavis # dato # datomic # defnpodcast # deps-new # depstar # devcards # devops # dirac # docker # docs # domino-clj # duct # dunaj # eastwood # editors # emacs # error-message-catalog # etaoin # ethereum # euroclojure # events # exercism # expound # figwheel # figwheel-main # flambo # fulcro # funcool # functionalprogramming # funimage # garden # ghostwheel # girouette # gis # google-cloud # gorilla # graalvm # graalvm-mobile # graclj # graphql # gratitude # gsoc # hammock-driven-dev # helix # heroku # hispano # holy-lambda # honeysql # hoplon # hugsql # humor # hypercrud # hyperfiddle # immutant # improve-getting-started # incanter # indycljs # inf-clojure # instaparse # integrant # interceptors # interop # introduce-yourself # iot # iotivity # ipfs # jackdaw # jaunt # java # javascript # javelin # jobs # jobs-discuss # jobs-rus # joker # jukebox # juxt # jvm # kaocha # keechma # kekkonen # keyboards # klipse # kosmos # lambdaisland # ldnclj # ldnproclodo # lein-figwheel # leiningen # liberator # liquid # livestream # local-first-clojure # london-clojurians # lsp # luminus # lumo # mail # malli # mathematics # meander # melbourne # membrane # mental-health # microservices # mid-cities-meetup # midje # minecraft # minimallist # missionary # monads # mount # music # new-channels # new-clojure # nextjournal # nginx # nrepl # numerical-computing # nyc # observability # off-topic # om # om-next # onyx # other-languages # other-lisps # overtone # pamela # parinfer # pathom # pedestal # perun # philosophy # phzr # planck # plastic # play-clj # podcasts # polylith # portal # portkey # portland-or # powderkeg # practicalli # precept # prelude # programming-beginners # project-updates # proletarian # proton # protorepl # pulsar # pure-frame # qa # qlkit # quil # random # rdf # react # reactive # reading-clojure # reagent # reclojure # re-frame # reitit # releases # remote-jobs # respo # rethinkdb # reveal # rewrite-clj # ring # ring-swagger # robots # rum # schema # sci # sfcljs # shadow-cljs # _silence # sim-testing # sioux-falls # slack-help # sneer # sneer-br # spacemacs # specmonstah # specter # speculative # spirituality-ethics # sql # startup-in-a-month # sydney # test200 # test-check # testing # thejaloniki # timbre # tmp-json-parsing # tools-build # tools-deps # trading # tree-sitter # uncomplicate # unrepl # untangled # utah-clojurians # videos # vim # vrac # vscode # wasm # web-security # windows # xtdb # yada # yleinen

Apps

ring

Crispin 2020-09-11T04:21:48.006Z

Hi there everyone. I'm trying to write a ring middleware that will check a stripe webhook callback's signature. The signature is in the header. Can get that fine. But I need to verify it by comparing it with the raw body, as that is what is signed. The raw body is json. Then if it passes, future middleware will decode the json.

Crispin 2020-09-11T04:22:31.006800Z

The issue is that body is presented as a stream. And if I slurp the stream, then future json middleware gets an empty body content, and the stream has been consumed

Crispin 2020-09-11T04:23:04.007300Z

how do I verify a header signature against the raw body contents, without consuming the stream?

Crispin 2020-09-11T04:23:11.007600Z

any ideas on the best approach?

Crispin 2020-09-11T04:27:36.008100Z

is the best way to create a new stream and push the contents back onto it? or is there an easier way?

Crispin 2020-09-11T04:55:39.008500Z

Ok. I made this test and it seems to work:

Crispin 2020-09-11T04:56:46.008800Z

(defn wrap-test [handler]
  (fn
    ([request]
     (log/info "wrap-test/1")
     (let [content (slurp (:body request))]
       (log/info "body is" content)
       (handler (assoc request :body (io/input-stream (.getBytes content))))))
    ([request respond raise]
     (log/info "wrap-test/3")
     (let [content (slurp (:body request))]
       (log/info "body is" content)
       (handler (assoc request :body (io/input-stream (.getBytes content))) respond raise)))))

Crispin 2020-09-11T04:57:31.009600Z

slurps the body... but then creates a new body for subsequent processing by creating a input-stream from the contents

Crispin 2020-09-11T04:57:46.010Z

I will proceed with this, but if there is a better way please let me know

Crispin 2020-09-11T05:20:44.010700Z

I guess I would have to be careful of a DoS attack with this of someone sending a multi terrabyte body...?

jumar 2020-09-11T14:27:54.011400Z

Why don't you validate only after it's read as JSON? And do you really need a middleware? Do you have more than one stripe webhook route?

Crispin 2020-09-12T12:13:31.018400Z

> Why don't you validate only after it's read as JSON?

Crispin 2020-09-12T12:13:42.018600Z

because I have no access to the raw body at that stage

Crispin 2020-09-12T12:14:31.018800Z

and the signature is of the raw body, not of the decoded json. Even if I re-encoded the json, its not garunteed to be byte for byte identical

Crispin 2020-09-12T12:14:54.019Z

> Do you have more than one stripe webhook route?

Crispin 2020-09-12T12:14:56.019200Z

yes

Crispin 2020-09-12T12:15:04.019400Z

actually no.

Crispin 2020-09-12T12:15:21.019600Z

sorry. only one route. but multiple messages

Crispin 2020-09-12T12:15:53.019800Z

I guess I could just process it raw then without any middleware at all... :thinking_face: