Need to defend against timing attacks

[joetrimble]

First thank you for taking the time to write the article and put this repo together.

I noticed while reading through your example that currently no secure comparison is being used when comparing the signature passed by GitHub to the signature you have generated. You will likely want to incorporate something like Plug.Crypto.secure_compare/2 in your is_payload_signature_valid?/2 function to avoid the possibility of timing attacks.

Also, you may want to consider hex encoding your payload signature as that is what GitHub is doing. Maybe something like Base.encode16(case: :lower) and I believe the header from GitHub is X-Hub-Signature-256. The X-Hub-Signature uses sha1 instead of sha256.

[zorn]

Thanks for the feedback, I'll keep it in mind as I do future edits.

Sorry for any confusion around a mismatch of GitHub formats. The client work that inspired this post was originally done against Facebook endpoints and I really hate Facebook and didn't want to give them any play on my site, so I augmented the example around GitHub but there could very well be some slight incompatibilities with how those webhooks work.