feat(poll api): use hmac and base64

2025-05-02 15:34:24 +02:00 · 2023-01-12 22:02:12 +01:00 · 2023-01-12 22:02:12 +01:00 · d7dc351605
commit d7dc351605
parent a84e1195d7
4 changed files with 29 additions and 35 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -76,6 +76,12 @@ version = "0.13.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "904dfeac50f3cdaba28fc6f57fdcddb75f49ed61346676a78c4ffe55877802fd"

+[[package]]
+name = "base64"
+version = "0.21.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a4a4ddaa51a5bc52a6948f74c06d20aaaddb71924eab79b8c97a8c556e942d6a"
+
 [[package]]
 name = "bitflags"
 version = "1.3.2"
@ -98,7 +104,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "99d76085681585d39016f4d3841eb019201fc54d2dd0d92ad1e4fab3bfb32754"
 dependencies = [
 "ahash",
- "base64",
+ "base64 0.13.0",
 "hex",
 "indexmap",
 "lazy_static",
@ -544,6 +550,12 @@ dependencies = [
 "digest",
 ]

+[[package]]
+name = "hmac-sha256"
+version = "1.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fc736091aacb31ddaa4cd5f6988b3c21e99913ac846b41f32538c5fae5d71bfe"
+
 [[package]]
 name = "hostname"
 version = "0.3.1"
@ -709,15 +721,6 @@ dependencies = [
 "wasm-bindgen",
 ]

-[[package]]
-name = "keccak"
-version = "0.1.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3afef3b6eff9ce9d8ff9b3601125eec7f0c8cbac7abd14f355d053fa56c98768"
-dependencies = [
- "cpufeatures",
-]
-
 [[package]]
 name = "lazy_static"
 version = "1.4.0"
@ -835,7 +838,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b5a1df476ac9541b0e4fdc8e2cc48884e66c92c933cd17a1fd75e68caf75752e"
 dependencies = [
 "async-trait",
- "base64",
+ "base64 0.13.0",
 "bitflags",
 "bson",
 "chrono",
@ -1137,7 +1140,7 @@ version = "0.11.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "431949c384f4e2ae07605ccaa56d1d9d2ecdb5cadd4f9577ccfab29f2e5149fc"
 dependencies = [
- "base64",
+ "base64 0.13.0",
 "bytes",
 "encoding_rs",
 "futures-core",
@ -1186,12 +1189,13 @@ dependencies = [
 name = "revanced-discord-bot"
 version = "2.3.1"
 dependencies = [
+ "base64 0.21.0",
 "bson",
 "chrono",
 "decancer",
 "dirs",
 "dotenv",
- "hex",
+ "hmac-sha256",
 "mongodb",
 "poise",
 "regex",
@ -1200,7 +1204,6 @@ dependencies = [
 "serde_json",
 "serde_regex",
 "serde_with_macros 2.0.1",
- "sha3",
 "tokio",
 "tracing",
 "tracing-subscriber",
@ -1258,7 +1261,7 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1ee86d63972a7c661d1536fefe8c3c8407321c3df668891286de28abcd087360"
 dependencies = [
- "base64",
+ "base64 0.13.0",
 ]

 [[package]]
@ -1267,7 +1270,7 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0864aeff53f8c05aa08d86e5ef839d3dfcf07aeba2db32f12db0ef716e87bd55"
 dependencies = [
- "base64",
+ "base64 0.13.0",
 ]

 [[package]]
@ -1428,7 +1431,7 @@ checksum = "82fd5e7b5858ad96e99d440138f34f5b98e1b959ebcd3a1036203b30e78eb788"
 dependencies = [
 "async-trait",
 "async-tungstenite",
- "base64",
+ "base64 0.13.0",
 "bitflags",
 "bytes",
 "cfg-if",
@ -1474,16 +1477,6 @@ dependencies = [
 "digest",
 ]

-[[package]]
-name = "sha3"
-version = "0.10.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bdf0c33fae925bdc080598b84bc15c55e7b9a4a43b3c704da051f977469691c9"
-dependencies = [
- "digest",
- "keccak",
-]
-
 [[package]]
 name = "sharded-slab"
 version = "0.1.4"
@ -1813,7 +1806,7 @@ version = "0.17.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e27992fd6a8c29ee7eef28fc78349aa244134e10ad447ce3b9f0ac0ed0fa4ce0"
 dependencies = [
- "base64",
+ "base64 0.13.0",
 "byteorder",
 "bytes",
 "http",
--- a/Cargo.toml
+++ b/Cargo.toml
@ -32,5 +32,5 @@ chrono = "0.4"
 dirs = "4.0"
 tracing = { version = "0.1", features = ["max_level_debug", "release_max_level_info"] }
 tracing-subscriber = "0.3"
-sha3 = "0.10"
-hex = "0.4"
+hmac-sha256 = "1.1.6"
+base64 = "0.21.0"
--- a/src/main.rs
+++ b/src/main.rs
@ -32,6 +32,7 @@ pub struct Data {
    configuration: Configuration,
    database: Arc<Database>,
    pending_unmutes: HashMap<u64, JoinHandle<Result<(), Error>>>,
+    poll_secret: String,
    api: Api,
 }

@ -83,6 +84,7 @@ async fn main() {
            .unwrap(),
        ),
        pending_unmutes: HashMap::new(),
+        poll_secret: env::var("POLL_SECRET").expect("POLL_SECRET environment variable not set"),
        api: Api::new(
            reqwest::Url::parse(
                &env::var("API_SERVER").expect("API_SERVER environment variable not set"),
--- a/src/utils/poll.rs
+++ b/src/utils/poll.rs
@ -1,7 +1,7 @@
 use poise::serenity_prelude::{ButtonStyle, ReactionType, Timestamp};

+use base64::Engine;
 use reqwest::StatusCode;
-use sha3::{Digest, Sha3_256};
 use tracing::log::{error, trace};

 use super::bot::get_data_lock;
@ -24,12 +24,11 @@ pub async fn handle_poll(

    let eligible = member.joined_at.unwrap() <= min_join_date;
    let result = if eligible {
-        let mut hasher = Sha3_256::new();
-        hasher.update(&member.user.id.to_string());
        match data
            .api
-            // We cannot use the entire hash because Discord rejects URLs with more than 512 characters.
-            .authenticate(&hex::encode(hasher.finalize())[..2^5])
+            .authenticate(&base64::engine::general_purpose::STANDARD_NO_PAD.encode(
+                hmac_sha256::HMAC::mac(member.user.id.to_string(), &data.poll_secret),
+            ))
            .await
        {
            Ok(auth) => Ok(auth.access_token),