Add validate-callback.py

validate-callback.py

+# SPDX-FileCopyrightText: 2021 Marco Holz
+#
+# SPDX-License-Identifier: EUPL-1.2
+
+import base64
+import hmac
+import secrets
+import sys
+import time
+from hashlib import sha512
+
+CALLBACK_SECRET = secrets.token_urlsafe(32)
+CALLBACK_SECRET = 'insecure_unsafe_qHScgrg_kP-R31jHUwp3GkVkGJolvBchz65b74Lzue0'
+
+request = {
+    'body': '{"type":"https://schema.fitko.de/fit-connect/callbacks/new-submissions","submissionIds":["f39ab143-d91a-474a-b69f-b00f1a1873c2"]}',
+    'headers': {
+        'callback-authentication': 'f4eig0ht6hdlsfz6DVqGjXi1j3RAombIQ7vjG1M2TFZx1fGurzg1nOEh00lPfLEulhio1RyTOav1e1aMi69SRg==',
+        'callback-timestamp': 1672527599,
+    }
+}
+
+# 1. Check timestamp
+current_time_epoch = int(time.time())
+seconds_five_minutes = 60 * 5
+if current_time_epoch - request['headers']['callback-timestamp'] > seconds_five_minutes:
+    print('Error: timestamp too old')
+    sys.exit(1)
+else:
+    print('timestamp ok')
+
+# 2. generate hmac
+payload = str(request['headers']['callback-timestamp']) + '.' + request['body']
+
+expected_hmac = hmac.digest(CALLBACK_SECRET.encode("utf-8"), payload.encode("utf-8"), digest=sha512)
+expected_hmac_base64 = base64.b64encode(expected_hmac).decode()
+
+print('hmac', expected_hmac_base64)
+
+# 3. Compare generated hmac and `callback-authentication` header
+if not hmac.compare_digest(request['headers']['callback-authentication'], expected_hmac_base64):
+    print('Error: invalid hmac')
+    sys.exit(2)
+else:
+    print('hmac ok')