From b180e5aa858c88c5879b55eda21f6cf7e756cd06 Mon Sep 17 00:00:00 2001
From: Vivek Teega <vivek.teega@gmail.com>
Date: Tue, 4 Jun 2019 15:34:23 +0530
Subject: [PATCH] Adding digital signature check for SSE API

---
 .gitignore           |  2 ++
 config-example.py    |  2 ++
 ranchimallflo_api.py | 16 +++++++++++-----
 3 files changed, 15 insertions(+), 5 deletions(-)
 create mode 100644 config-example.py

diff --git a/.gitignore b/.gitignore
index 8299ed0..bd51a5a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,5 @@
 __pycache__/
 wsgi.py
 *.swp
+config.py
+.idea/
diff --git a/config-example.py b/config-example.py
new file mode 100644
index 0000000..672f317
--- /dev/null
+++ b/config-example.py
@@ -0,0 +1,2 @@
+dbfolder = ''
+sse_pubKey = '<public key in the format of pybtc python library>'
diff --git a/ranchimallflo_api.py b/ranchimallflo_api.py
index 02e802b..5ea8547 100644
--- a/ranchimallflo_api.py
+++ b/ranchimallflo_api.py
@@ -9,8 +9,10 @@ from quart_cors import cors
 import asyncio
 from typing import Optional
 
+from pybtc import verify_signature
+from config import *
+
 
-dbfolder = ''
 app = Quart(__name__)
 app = cors(app)
 app.clients = set()
@@ -436,10 +438,14 @@ async def index():
 
 @app.route('/', methods=['POST'])
 async def broadcast():
+    signature = request.headers.get('Signature')
     data = await request.get_json()
-    for queue in app.clients:
-        await queue.put(data['message'])
-    return jsonify(True)
+    if verify_signature(signature, sse_pubKey, data['message'].encode()):
+        for queue in app.clients:
+            await queue.put(data['message'])
+        return jsonify(True)
+    else:
+        return jsonify(False)
 
 
 @app.route('/sse')
@@ -467,7 +473,7 @@ async def sse():
     return response
 
 if __name__ == "__main__":
-    app.run(debug=False, port=5010)
+    app.run(debug=True, port=5010)