From 2d8807685c8fbb7631f21fa0dfb13266828d7115 Mon Sep 17 00:00:00 2001
From: Branden J Brown <zephyrtronium@gmail.com>
Date: Tue, 8 Apr 2025 13:00:09 -0400
Subject: [PATCH] twitch: implement webhook receive

---
 twitch/webhook.go      | 55 ++++++++++++++++++++++++++++++++++++++++++
 twitch/webhook_test.go | 50 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 105 insertions(+)
 create mode 100644 twitch/webhook.go
 create mode 100644 twitch/webhook_test.go

diff --git a/twitch/webhook.go b/twitch/webhook.go
new file mode 100644
index 0000000..49f4191
--- /dev/null
+++ b/twitch/webhook.go
@@ -0,0 +1,55 @@
+package twitch
+
+import (
+	"bytes"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"sync"
+)
+
+// ErrVerificationFailed is the error returned when a webhook request does not
+// verify correctly.
+var ErrVerificationFailed = errors.New("Twitch webhook verification failed") //lint:ignore ST1005 Twitch is a proper noun
+
+// Receive verifies a Twitch webhook request against the given secret
+// and appends the request body to b.
+// The maximum allowed request length is 1 MB.
+func Receive(b, secret []byte, req *http.Request) ([]byte, error) {
+	r := io.LimitReader(req.Body, 1<<20)
+	w := bytes.NewBuffer(b)
+	if _, err := io.Copy(w, r); err != nil {
+		return nil, err
+	}
+	b = w.Bytes()
+
+	h := hmac.New(sha256.New, secret)
+	io.WriteString(h, req.Header.Get("Twitch-Eventsub-Message-Id"))
+	io.WriteString(h, req.Header.Get("Twitch-Eventsub-Message-Timestamp"))
+	h.Write(b)
+	want := make([]byte, 0, len("sha256=")+sha256.Size*2)
+	want = append(want, "sha256="...)
+	sum := h.Sum(make([]byte, 0, sha256.Size))
+	want = hex.AppendEncode(want, sum)
+
+	got := req.Header.Get("Twitch-Eventsub-Message-Signature")
+	if !hmac.Equal(want, []byte(got)) {
+		fmt.Printf("req message id: %q\n", req.Header.Get("Twitch-Eventsub-Message-Id"))
+		fmt.Printf("req timestamp: %q\n", req.Header.Get("Twitch-Eventsub-Message-Timestamp"))
+		fmt.Printf("req body: %q\n", b)
+		return nil, fmt.Errorf("%w: computed %q, header has %q", ErrVerificationFailed, want, got)
+	}
+	return b, nil
+}
+
+// Secret returns a process-wide secret for webhook subscriptions.
+var Secret = sync.OnceValue(func() []byte {
+	b := make([]byte, 32)
+	rand.Read(b)
+	return hex.AppendEncode(make([]byte, 0, 64), b)
+})
diff --git a/twitch/webhook_test.go b/twitch/webhook_test.go
new file mode 100644
index 0000000..8580372
--- /dev/null
+++ b/twitch/webhook_test.go
@@ -0,0 +1,50 @@
+package twitch_test
+
+import (
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"git.sunturtle.xyz/zephyr/kaiyan/twitch"
+)
+
+func TestReceive(t *testing.T) {
+	// Request generated by Twitch CLI using "gotohhitori" as the secret.
+	// This should pass.
+	body := `{"subscription":{"id":"0dd34bc7-6631-b1d8-4306-18a49c3b3ba8","status":"enabled","type":"user.authorization.grant","version":"1","condition":{"client_id":"689a99bb72fc9d068f7089ab1c8104"},"transport":{"method":"webhook","callback":"null"},"created_at":"2025-04-08T16:54:43.7141633Z","cost":1},"event":{"user_id":"16396008","user_login":"testFromUser","user_name":"testFromUser","client_id":"689a99bb72fc9d068f7089ab1c8104"}}`
+	req := httptest.NewRequest("POST", "http://bocchi.rocks/", strings.NewReader(body))
+	header := map[string]string{
+		"Accept-Encoding":                      "gzip",
+		"Content-Type":                         "application/json",
+		"Twitch-Eventsub-Message-Id":           "7d5c6ab3-74a3-3583-b0c1-d33ca5490910",
+		"Twitch-Eventsub-Message-Retry":        "0",
+		"Twitch-Eventsub-Message-Signature":    "sha256=2f409c88eb8e8515f22b2bfb50dc97f6ff3fde7986d3a6013030e55840e5c8b8",
+		"Twitch-Eventsub-Message-Timestamp":    "2025-04-08T16:54:43.7141633Z",
+		"Twitch-Eventsub-Message-Type":         "notification",
+		"Twitch-Eventsub-Subscription-Type":    "user.authorization.grant",
+		"Twitch-Eventsub-Subscription-Version": "1",
+		"User-Agent":                           "twitch-cli/source",
+	}
+	for k, v := range header {
+		req.Header.Set(k, v)
+	}
+	got, err := twitch.Receive(nil, []byte("gotohhitori"), req)
+	if err != nil {
+		t.Error(err)
+	}
+	if string(got) != body {
+		t.Errorf("wrong body:\nwant %q\ngot  %q", body, got)
+	}
+}
+
+func TestSecret(t *testing.T) {
+	got := twitch.Secret()
+	if len(got) < 10 || len(got) > 100 {
+		t.Errorf("secret has invalid length %d", len(got))
+	}
+	for _, c := range got {
+		if c < 0x20 || c > 0x7f {
+			t.Errorf("secret contains invalid character %q", rune(c))
+		}
+	}
+}