johandahlberg · June 23, 2016 17:19
diff --git a/CompleteTutorial.scala b/CompleteTutorial.scala
 package controllers

 import java.nio.charset.StandardCharsets
 import javax.crypto.Mac
 import javax.crypto.spec.SecretKeySpec

 import models.RegisterFacebook
 import org.apache.commons.codec.binary.Hex
 import play.api.Logger
 import play.api.libs.concurrent.Execution.Implicits.defaultContext
 import play.api.libs.json._
 import play.api.mvc._

 import scala.concurrent.Future

 case class FacebookPostingMessages(`object`: String, entry: Seq[MessagePostEntry]) {
  def messages(): Seq[Message] = {
    entry.flatMap(_.messaging).map(_.message)
  }
 }
 case class Correspondent(id: String)
 case class MessagePostEntry(id: String, time: Long, messaging: Seq[Messaging])
 case class Messaging(sender: Correspondent, recipient: Correspondent, timestamp: Long, message: Message)
 case class Message(mid: String, seq: Long, text: String)

 object MessageFormats {
  implicit val messageFormat = Json.format[Message]
  implicit val messageReads = Json.reads[Message]

  implicit val correspondentFormat = Json.format[Correspondent]
  implicit val correspondentReads = Json.reads[Correspondent]

  implicit val messagingFormat = Json.format[Messaging]
  implicit val messagingReads = Json.reads[Messaging]

  implicit val entryFormat = Json.format[MessagePostEntry]
  implicit val entryReads = Json.reads[MessagePostEntry]

  implicit val facebookPostingMessagesFormats = Json.format[FacebookPostingMessages]
  implicit val facebookPostingMessagesReads = Json.reads[FacebookPostingMessages]
 }

 class SHA1VerificationService {

  private val secret = "<your key>"

  private def computeSHA1Hash(payloadBytes: Array[Byte], secret: String): String = {
    val HMAC_SHA1_ALGORITHM = "HmacSHA1"

    val secretKeySpec = new SecretKeySpec(secret.getBytes(StandardCharsets.UTF_8), HMAC_SHA1_ALGORITHM)
    val mac = Mac.getInstance(HMAC_SHA1_ALGORITHM)
    mac.init(secretKeySpec)
    val result: Array[Byte] = mac.doFinal(payloadBytes)
    val computedHash = Hex.encodeHexString(result)
    computedHash

  }

  def verifyPayload(payloadBytes: Array[Byte], expected: String): Boolean = {
    val computedHash = computeSHA1Hash(payloadBytes, secret)
    Logger.debug(s"Computed hash: $computedHash")
    val matched = computedHash == expected
    if (!matched)
      Logger.warn(s"Payload could not be verified. Computed: $computedHash and expected: $expected")
    matched
  }

 }

 class WebhookController() extends Controller {

  val verificationService = new SHA1VerificationService()

  def withVerifiedPayload[A](action: Action[RawBuffer])= Action.async(parse.raw) { request =>
    val xHubSignatureOption = request.headers.get("X-Hub-Signature")

    Logger.debug("Attempting to verify payload signature.")

    val verified =
      for {
        signature <- xHubSignatureOption
        rawBody <- request.body.asBytes()
      } yield {
        val bodyBytes = rawBody.utf8String.getBytes
        val incomingHash = signature.split("=").last
        verificationService.verifyPayload(bodyBytes, incomingHash)
      }

    if(verified.getOrElse(false)) {
      Logger.debug("Succeeded in verifying payload!")
      action(request)
    }
    else {
      Logger.warn("Could not verify the payload signature!")
      Future { BadRequest("Bad signature!") }
    }
  }

  def rawbuffer2JsValue(rawBuffer: RawBuffer): Option[JsValue] = {
    for {
      bytes <- rawBuffer.asBytes()
    } yield {
      Json.parse(bytes.utf8String)
    }
  }

  def receiveFacebookMessages = withVerifiedPayload {
    Action (parse.raw) {
      request => {
        val response =
          for {
            json <- rawbuffer2JsValue(request.body)
          } yield {
            import MessageFormats.facebookPostingMessagesReads
            val messages = json.validate[FacebookPostingMessages]
            messages.fold(
              errors => {
                Logger.warn("Failed to validate message post...")
                BadRequest(Json.obj("status" ->"KO", "message" -> JsError.toJson(errors)))
              },
              messages => {
                Logger.info(s"Successfully parsed ${messages.messages().length} messages.")
                Ok
              }
            )
          }
        response.getOrElse({
          Logger.warn("Invalid request posted.")
          BadRequest("Invalid message posting...")
        })
      }
    }
  }
 }
	package controllers

	import java.nio.charset.StandardCharsets
	import javax.crypto.Mac
	import javax.crypto.spec.SecretKeySpec

	import models.RegisterFacebook
	import org.apache.commons.codec.binary.Hex
	import play.api.Logger
	import play.api.libs.concurrent.Execution.Implicits.defaultContext
	import play.api.libs.json._
	import play.api.mvc._

	import scala.concurrent.Future

	case class FacebookPostingMessages(`object`: String, entry: Seq[MessagePostEntry]) {
	def messages(): Seq[Message] = {
	entry.flatMap(_.messaging).map(_.message)
	}
	}
	case class Correspondent(id: String)
	case class MessagePostEntry(id: String, time: Long, messaging: Seq[Messaging])
	case class Messaging(sender: Correspondent, recipient: Correspondent, timestamp: Long, message: Message)
	case class Message(mid: String, seq: Long, text: String)

	object MessageFormats {
	implicit val messageFormat = Json.format[Message]
	implicit val messageReads = Json.reads[Message]

	implicit val correspondentFormat = Json.format[Correspondent]
	implicit val correspondentReads = Json.reads[Correspondent]

	implicit val messagingFormat = Json.format[Messaging]
	implicit val messagingReads = Json.reads[Messaging]

	implicit val entryFormat = Json.format[MessagePostEntry]
	implicit val entryReads = Json.reads[MessagePostEntry]

	implicit val facebookPostingMessagesFormats = Json.format[FacebookPostingMessages]
	implicit val facebookPostingMessagesReads = Json.reads[FacebookPostingMessages]
	}

	class SHA1VerificationService {

	private val secret = "<your key>"

	private def computeSHA1Hash(payloadBytes: Array[Byte], secret: String): String = {
	val HMAC_SHA1_ALGORITHM = "HmacSHA1"

	val secretKeySpec = new SecretKeySpec(secret.getBytes(StandardCharsets.UTF_8), HMAC_SHA1_ALGORITHM)
	val mac = Mac.getInstance(HMAC_SHA1_ALGORITHM)
	mac.init(secretKeySpec)
	val result: Array[Byte] = mac.doFinal(payloadBytes)
	val computedHash = Hex.encodeHexString(result)
	computedHash

	}

	def verifyPayload(payloadBytes: Array[Byte], expected: String): Boolean = {
	val computedHash = computeSHA1Hash(payloadBytes, secret)
	Logger.debug(s"Computed hash: $computedHash")
	val matched = computedHash == expected
	if (!matched)
	Logger.warn(s"Payload could not be verified. Computed: $computedHash and expected: $expected")
	matched
	}

	}

	class WebhookController() extends Controller {

	val verificationService = new SHA1VerificationService()

	def withVerifiedPayload[A](action: Action[RawBuffer])= Action.async(parse.raw) { request =>
	val xHubSignatureOption = request.headers.get("X-Hub-Signature")

	Logger.debug("Attempting to verify payload signature.")

	val verified =
	for {
	signature <- xHubSignatureOption
	rawBody <- request.body.asBytes()
	} yield {
	val bodyBytes = rawBody.utf8String.getBytes
	val incomingHash = signature.split("=").last
	verificationService.verifyPayload(bodyBytes, incomingHash)
	}

	if(verified.getOrElse(false)) {
	Logger.debug("Succeeded in verifying payload!")
	action(request)
	}
	else {
	Logger.warn("Could not verify the payload signature!")
	Future { BadRequest("Bad signature!") }
	}
	}

	def rawbuffer2JsValue(rawBuffer: RawBuffer): Option[JsValue] = {
	for {
	bytes <- rawBuffer.asBytes()
	} yield {
	Json.parse(bytes.utf8String)
	}
	}

	def receiveFacebookMessages = withVerifiedPayload {
	Action (parse.raw) {
	request => {
	val response =
	for {
	json <- rawbuffer2JsValue(request.body)
	} yield {
	import MessageFormats.facebookPostingMessagesReads
	val messages = json.validate[FacebookPostingMessages]
	messages.fold(
	errors => {
	Logger.warn("Failed to validate message post...")
	BadRequest(Json.obj("status" ->"KO", "message" -> JsError.toJson(errors)))
	},
	messages => {
	Logger.info(s"Successfully parsed ${messages.messages().length} messages.")
	Ok
	}
	)
	}
	response.getOrElse({
	Logger.warn("Invalid request posted.")
	BadRequest("Invalid message posting...")
	})
	}
	}
	}
	}