From fd93cc4fb1e7a2042b83862eaccd985f270a33bc Mon Sep 17 00:00:00 2001
From: Alvie Rahman <alvierahman90@gmail.com>
Date: Thu, 29 Jul 2021 08:29:37 +0100
Subject: [PATCH] fix signature comparison logic

---
 main.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/main.go b/main.go
index cea825b..51aa47e 100644
--- a/main.go
+++ b/main.go
@@ -17,7 +17,7 @@ import (
 )
 
 var config_filename = "/etc/gohookr.json"
-var noSignatureCheck = false
+var checkSignature = true
 
 func main() {
 	r := mux.NewRouter()
@@ -33,7 +33,7 @@ func main() {
 	}
 
 	if p, ok := os.LookupEnv("NO_SIGNATURE_CHECK"); ok {
-		noSignatureCheck = p == "true"
+		checkSignature = p != "true"
 	}
 
 	log.Fatal(http.ListenAndServe(port, r))
@@ -66,7 +66,9 @@ func webhookHandler(w http.ResponseWriter, r *http.Request) {
 	// Verify that signature provided matches signature calculated using secretsss
 	signature := r.Header.Get(service.SignatureHeader)
 	calculatedSignature := getSha256HMACSignature([]byte(service.Secret), payload)
-	if noSignatureCheck || signature == calculatedSignature {
+	fmt.Printf("signature = %v\n", signature)
+	fmt.Printf("calcuatedSignature = %v\n", signature)
+	if signature != calculatedSignature  && checkSignature{
 		writeResponse(w, 400, "Bad Request: Signatures do not match")
 		return
 	}