From e4ff660b342a4048cd4ef421f91485d1a0831888 Mon Sep 17 00:00:00 2001
From: Swashata Ghosh <swas@freemius.com>
Date: Wed, 11 Sep 2024 15:28:44 +0530
Subject: [PATCH 1/2] [webhook] [auth] Use new authentication for retrieving
 the webhook.

---
 freemius-webhook-listener.php | 29 ++++++++++++++---------------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/freemius-webhook-listener.php b/freemius-webhook-listener.php
index 7bee793..85b64ec 100644
--- a/freemius-webhook-listener.php
+++ b/freemius-webhook-listener.php
@@ -62,16 +62,9 @@ public static function listen() {
      */
     protected static function mailchimp() {
 
-        // Retrieve the request's body and parse it as JSON
+        // Retrieve the request's body
         $input = @file_get_contents("php://input");
 
-        $event_json = json_decode($input);
-
-        if ( ! isset( $event_json->id ) ) {
-            http_response_code(200);
-            exit;
-        }
-
         /**
          * Freemius PHP SDK can be downloaded from GitHub:
          * https://github.com/Freemius/php-sdk
@@ -80,14 +73,20 @@ protected static function mailchimp() {
 
         extract( self::$plugin );
 
-        $fs = new Freemius_Api(
-            $type,
-            $id,
-            $public_key,
-            $secret_key
-        );
+        // Verify the authenticity of the request.
+        $hash = hash_hmac('sha256', $input, $secret_key);
+
+        $signature = $_SERVER['HTTP_X_SIGNATURE'] ?? '';
+
+        if ( ! hash_equals($hash, $signature))
+        {
+            // Invalid signature, don't expose any data to attackers.
+            http_response_code(200);
+            exit;
+        }
 
-        $fs_event = $fs->Api("/events/{$event_json->id}.json");
+        // Decode the request.
+        $fs_event = json_decode($input);
 
         $user  = $fs_event->objects->user;
 

From 64cb2f4e796660f09dfb52977b2f81acf7a45de3 Mon Sep 17 00:00:00 2001
From: Swashata Ghosh <swas@freemius.com>
Date: Wed, 11 Sep 2024 18:48:22 +0530
Subject: [PATCH 2/2] [cleanup] Remove unneeded SDK library.

---
 freemius-webhook-listener.php | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/freemius-webhook-listener.php b/freemius-webhook-listener.php
index 85b64ec..7faa7e8 100644
--- a/freemius-webhook-listener.php
+++ b/freemius-webhook-listener.php
@@ -65,12 +65,6 @@ protected static function mailchimp() {
         // Retrieve the request's body
         $input = @file_get_contents("php://input");
 
-        /**
-         * Freemius PHP SDK can be downloaded from GitHub:
-         * https://github.com/Freemius/php-sdk
-         */
-        require_once dirname(__FILE__) . '/includes/freemius/includes/sdk/Freemius.php';
-
         extract( self::$plugin );
 
         // Verify the authenticity of the request.