FIX: new mailgun webhooks

app/controllers/webhooks_controller.rb

@@ -3,39 +3,9 @@ require "openssl"
 class WebhooksController < ActionController::Base
 
   def mailgun
-    # can't verify data without an API key
     return mailgun_failure if SiteSetting.mailgun_api_key.blank?
 
-    # token is a random string of 50 characters
-    token = params["token"]
-    return mailgun_failure if token.blank? || token.size != 50
-
-    # prevent replay attack
-    key = "mailgun_token_#{token}"
-    return mailgun_failure unless $redis.setnx(key, 1)
-    $redis.expire(key, 10.minutes)
-
-    # ensure timestamp isn't too far from current time
-    timestamp = params["timestamp"]
-    return mailgun_failure if (Time.at(timestamp.to_i) - Time.now).abs > 24.hours.to_i
-
-    # check the signature
-    return mailgun_failure unless mailgun_verify(timestamp, token, params["signature"])
-
-    event = params["event"]
-    message_id = params["Message-Id"].tr("<>", "")
-    to_address = params["recipient"]
-
-    # only handle soft bounces, because hard bounces are also handled
-    # by the "dropped" event and we don't want to increase bounce score twice
-    # for the same message
-    if event == "bounced".freeze && params["error"]["4."]
-      process_bounce(message_id, to_address, SiteSetting.soft_bounce_score)
-    elsif event == "dropped".freeze
-      process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)
-    end
-
-    mailgun_success
+    params["event-data"] ? handle_mailgun_new(params) : handle_mailgun_legacy(params)
   end
 
   def sendgrid
@@ -127,10 +97,59 @@ class WebhooksController < ActionController::Base
     render body: nil, status: 200
   end
 
-  def mailgun_verify(timestamp, token, signature)
-    digest = OpenSSL::Digest::SHA256.new
-    data = "#{timestamp}#{token}"
-    signature == OpenSSL::HMAC.hexdigest(digest, SiteSetting.mailgun_api_key, data)
+  def valid_mailgun_signature?(token, timestamp, signature)
+    # token is a random 50 characters string
+    return false if token.blank? || token.size != 50
+
+    # prevent replay attacks
+    key = "mailgun_token_#{token}"
+    return false unless $redis.setnx(key, 1)
+    $redis.expire(key, 10.minutes)
+
+    # ensure timestamp isn't too far from current time
+    return false if (Time.at(timestamp.to_i) - Time.now).abs > 12.hours.to_i
+
+    # check the signature
+    signature == OpenSSL::HMAC.hexdigest("SHA256", SiteSetting.mailgun_api_key, "#{timestamp}#{token}")
+  end
+
+  def handle_mailgun_legacy(params)
+    return mailgun_failure unless valid_mailgun_signature?(params["token"], params["timestamp"], params["signature"])
+
+    event = params["event"]
+    message_id = params["Message-Id"].tr("<>", "")
+    to_address = params["recipient"]
+
+    # only handle soft bounces, because hard bounces are also handled
+    # by the "dropped" event and we don't want to increase bounce score twice
+    # for the same message
+    if event == "bounced".freeze && params["error"]["4."]
+      process_bounce(message_id, to_address, SiteSetting.soft_bounce_score)
+    elsif event == "dropped".freeze
+      process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)
+    end
+
+    mailgun_success
+  end
+
+  def handle_mailgun_new(params)
+    signature = params["signature"]
+    return mailgun_failure unless valid_mailgun_signature?(signature["token"], signature["timestamp"], signature["signature"])
+
+    data = params["event-data"]
+    message_id = data.dig("message", "headers", "message-id")
+    to_address = data["recipient"]
+    severity = data["severity"]
+
+    if data["event"] == "failed".freeze
+      if severity == "temporary".freeze
+        process_bounce(message_id, to_address, SiteSetting.soft_bounce_score)
+      elsif severity == "permanent".freeze
+        process_bounce(message_id, to_address, SiteSetting.hard_bounce_score)
+      end
+    end
+
+    mailgun_success
   end
 
   def process_bounce(message_id, to_address, bounce_score)