support sending signed websub notifications

controllers/push.php

@@ -7,7 +7,7 @@ function push_error(&$app, $msg) {
 }
 
 function push_param($params, $name) {
-  // Look 'mode' first, fall back to 'hub_mode'
+  // Look for 'mode' first, fall back to 'hub_mode'
   if(k($params, $name))
     return k($params, $name);
   return k($params, 'hub_'.$name);
@@ -93,6 +93,9 @@ $app->post('/', function() use($app) {
         $subscription->date_requested = db\now();
         $subscription->challenge = db\random_hash();
         $subscription->namespaced = $namespaced;
+        if($secret=push_param($params, 'secret')) {
+          $subscription->secret = $secret;
+        }
         db\set_updated($subscription);
         $subscription->save();
 

lib/PushTask.php

@@ -160,10 +160,17 @@ class PushTask {
 
     echo "Notifying subscriber!\n";
 
-    $subscription->date_last_ping_sent = db\now();
-    $response = request\post($subscription->callback_url, $feed->content, false, [
+    $headers = [
       'Content-Type: ' . ($feed->content_type ?: 'text/plain')
-    ]);
+    ];
+
+    if($subscription->secret) {
+      $signature = hash_hmac('sha256', $feed->content, $subscription->secret);
+      $headers[] = 'X-Hub-Signature: sha256=' . $signature;
+    }
+
+    $subscription->date_last_ping_sent = db\now();
+    $response = request\post($subscription->callback_url, $feed->content, false, $headers);
     $subscription->last_ping_status = $response['status'];
     $subscription->last_ping_headers = $response['headers'];
     $subscription->last_ping_body = $response['body'];

schema/0001.sql

@@ -0,0 +1,2 @@
+ALTER TABLE subscriptions
+ADD COLUMN `secret` varchar(200) DEFAULT '' AFTER `challenge`;

schema/schema.sql

@@ -4,6 +4,7 @@ CREATE TABLE `subscriptions` (
   `feed_id` bigint(20) DEFAULT NULL,
   `callback_url` text,
   `challenge` varchar(100) DEFAULT '',
+  `secret` varchar(200) DEFAULT '',
   `active` tinyint(4) DEFAULT '0',
   `namespaced` tinyint(4) DEFAULT '1',
   `lease_seconds` int(11) DEFAULT NULL,