stadar 0.1.6

Rust SDK for the stadar.net esports data API.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110

//! Webhook signature verification helper.
//!
//! Survives openapi-generator regeneration (listed in
//! `clients/rust/.openapi-generator-ignore`).
//!
//! Customers receive Stadar outbound webhooks with an HMAC-SHA256
//! signature in the `X-Stadar-Signature` header (mirrors Polar's
//! pattern from ADR-0019). Returns `Ok(())` on match, an error
//! otherwise. Constant-time comparison via `subtle::ConstantTimeEq`
//! prevents timing-oracle attacks.
//!
//! # Example
//!
//! ```no_run
//! use stadar::webhooks::verify;
//!
//! let body = b"{...}";
//! let sig = "v1=9f8e...";
//! let secret = std::env::var("STADAR_WEBHOOK_SECRET").unwrap();
//! verify(body, sig, &secret).expect("invalid webhook signature");
//! ```

use hmac::{Hmac, Mac};
use sha2::Sha256;
use subtle::ConstantTimeEq;
use thiserror::Error;

type HmacSha256 = Hmac<Sha256>;

/// Error returned by [`verify`] when the signature does not match.
///
/// We deliberately collapse every failure mode (bad secret, tampered
/// body, malformed header) into a single error variant so callers
/// can't branch on the underlying reason via type matching — the
/// contract is uniform "did this verify or not."
#[derive(Debug, Error, PartialEq, Eq)]
pub enum WebhookError {
    /// The signature did not verify for any reason.
    #[error("stadar: invalid webhook signature")]
    Invalid,
}

/// Verify an inbound Stadar webhook signature.
///
/// `body` is the raw HTTP request body. `signature` is the value of
/// the `X-Stadar-Signature` header (bare hex or `v1=<hex>` variants
/// accepted, comma-separated for rotation). `secret` is the
/// customer's shared webhook secret.
pub fn verify(body: &[u8], signature: &str, secret: &str) -> Result<(), WebhookError> {
    if secret.is_empty() || signature.trim().is_empty() {
        return Err(WebhookError::Invalid);
    }
    let mut mac = HmacSha256::new_from_slice(secret.as_bytes()).map_err(|_| WebhookError::Invalid)?;
    mac.update(body);
    let expected = mac.finalize().into_bytes();

    for candidate in parse_signature_header(signature) {
        if candidate.len() == expected.len()
            && bool::from(candidate.ct_eq(&expected))
        {
            return Ok(());
        }
    }
    Err(WebhookError::Invalid)
}

fn parse_signature_header(header: &str) -> Vec<Vec<u8>> {
    header
        .trim()
        .split(',')
        .filter_map(|raw| {
            let part = raw.trim();
            let hex = match part.find('=') {
                Some(eq) => {
                    if &part[..eq] != "v1" {
                        return None;
                    }
                    &part[eq + 1..]
                }
                None => part,
            };
            decode_hex(hex)
        })
        .collect()
}

fn decode_hex(hex: &str) -> Option<Vec<u8>> {
    if hex.len() % 2 != 0 {
        return None;
    }
    let mut out = Vec::with_capacity(hex.len() / 2);
    let bytes = hex.as_bytes();
    let mut i = 0;
    while i < bytes.len() {
        let h = nibble(bytes[i])?;
        let l = nibble(bytes[i + 1])?;
        out.push((h << 4) | l);
        i += 2;
    }
    Some(out)
}

fn nibble(b: u8) -> Option<u8> {
    match b {
        b'0'..=b'9' => Some(b - b'0'),
        b'a'..=b'f' => Some(b - b'a' + 10),
        b'A'..=b'F' => Some(b - b'A' + 10),
        _ => None,
    }
}