Make webhook secret configurable

Signed-off-by: Knut Ahlers <knut@ahlers.me>

main.go

@@ -28,11 +28,11 @@ var (
 		TwitchToken           string        `flag:"twitch-token" default:"" description:"OAuth token valid for client"`
 		UpdateFromAPIInterval time.Duration `flag:"update-from-api-interval" default:"10m" description:"How often to ask the API for real values"`
 		VersionAndExit        bool          `flag:"version" default:"false" description:"Prints current version and exits"`
+		WebHookSecret         string        `flag:"webhook-secret" default:"" description:"Secret to use for HMAC hashing of webhook payload"`
 		WebHookTimeout        time.Duration `flag:"webhook-timeout" default:"15m" description:"When to re-register the webhooks"`
 	}{}
 
-	store         *storage
-	webhookSecret = uuid.Must(uuid.NewV4()).String()
+	store *storage
 
 	version = "dev"
 )
@@ -53,6 +53,10 @@ func init() {
 	} else {
 		log.SetLevel(l)
 	}
+
+	if cfg.WebHookSecret == "" {
+		cfg.WebHookSecret = uuid.Must(uuid.NewV4()).String()
+	}
 }
 
 func main() {

webhook.go

@@ -54,7 +54,7 @@ func handleWebHookPush(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	mac := hmac.New(sha256.New, []byte(webhookSecret))
+	mac := hmac.New(sha256.New, []byte(cfg.WebHookSecret))
 	mac.Write(body.Bytes())
 	if cSig := fmt.Sprintf("sha256=%x", mac.Sum(nil)); cSig != signature {
 		log.Errorf("Got message signature %s, expected %s", signature, cSig)
@@ -173,7 +173,7 @@ func registerWebHooks() error {
 			"hub.mode":          "subscribe",
 			"hub.topic":         topic,
 			"hub.lease_seconds": int64((cfg.WebHookTimeout + twitchRequestTimeout) / time.Second),
-			"hub.secret":        webhookSecret,
+			"hub.secret":        cfg.WebHookSecret,
 		}); err != nil {
 			return errors.Wrap(err, "assemble subscribe payload")
 		}