From b0b4324f51ba7658e5e97b294ebd8ab7008d8f2a Mon Sep 17 00:00:00 2001
From: Florian Forster <ff@octo.it>
Date: Thu, 1 Feb 2018 08:07:28 +0100
Subject: [PATCH] Package fitbit: Log signatures on failure.

Also promote "signature mismatch" from warning to error.
---
 fitbit/fitbit.go | 7 +++++++
 kraftakt.go      | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/fitbit/fitbit.go b/fitbit/fitbit.go
index 33f2ccd..9466b12 100644
--- a/fitbit/fitbit.go
+++ b/fitbit/fitbit.go
@@ -6,6 +6,7 @@ import (
 	"crypto/hmac"
 	"crypto/sha1"
 	"encoding/base64"
+	"encoding/hex"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -70,6 +71,12 @@ func CheckSignature(ctx context.Context, payload []byte, rawSig string) bool {
 	mac.Write(payload)
 	signatureWant := mac.Sum(nil)
 
+	if !hmac.Equal(signatureGot, signatureWant) {
+		log.Debugf(ctx, "CheckSignature(): got %q, want %q",
+			hex.EncodeToString(signatureGot),
+			hex.EncodeToString(signatureWant))
+	}
+
 	return hmac.Equal(signatureGot, signatureWant)
 }
 
diff --git a/kraftakt.go b/kraftakt.go
index da10c62..d53a3a3 100644
--- a/kraftakt.go
+++ b/kraftakt.go
@@ -258,7 +258,7 @@ func fitbitNotifyHandler(ctx context.Context, w http.ResponseWriter, r *http.Req
 	// Fitbit recommendation: "If signature verification fails, you should
 	// respond with a 404"
 	if !fitbit.CheckSignature(ctx, data, r.Header.Get("X-Fitbit-Signature")) {
-		log.Warningf(ctx, "signature mismatch")
+		log.Errorf(ctx, "signature mismatch")
 		w.WriteHeader(http.StatusNotFound)
 		return nil
 	}
-- 
2.11.0