anypost 1.0.0

data/lib/anypost/webhook_signature.rb

@@ -0,0 +1,114 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "json"
+
+module Anypost
+  # Raised when a webhook delivery's signature cannot be verified.
+  class WebhookVerificationError < StandardError
+    # The machine-readable reason. Branch on this rather than the message.
+    #
+    # One of: :malformed_header, :no_timestamp, :no_signatures,
+    # :timestamp_out_of_tolerance, :no_match.
+    #
+    # @return [Symbol]
+    attr_reader :reason
+
+    def initialize(message, reason)
+      super(message)
+      @reason = reason
+    end
+  end
+
+  # Verify the signature on an Anypost webhook delivery.
+  module WebhookSignature
+    DEFAULT_TOLERANCE_SECONDS = 300
+
+    module_function
+
+    # Verify an Anypost webhook signature.
+    #
+    # Pass the **raw** request body (the exact bytes received, before JSON
+    # parsing), the `Anypost-Signature` header value, and the webhook's signing
+    # secret. Returns nil on success; raises {WebhookVerificationError} otherwise.
+    #
+    # The header may carry more than one `v1=` component during a secret
+    # rotation; a match on any one passes, so deliveries keep verifying across a
+    # rotation. Set `tolerance_seconds:` to 0 to disable the freshness check.
+    def verify(payload, signature_header, secret, tolerance_seconds: DEFAULT_TOLERANCE_SECONDS, now: nil)
+      timestamp, signatures = parse_header(signature_header)
+
+      if tolerance_seconds.positive?
+        current = now || Time.now.to_i
+        if current - timestamp > tolerance_seconds
+          raise WebhookVerificationError.new(
+            "Timestamp #{timestamp} is older than the #{tolerance_seconds}s tolerance.",
+            :timestamp_out_of_tolerance
+          )
+        end
+      end
+
+      expected = OpenSSL::HMAC.hexdigest("SHA256", secret, "#{timestamp}.#{payload}")
+
+      # Constant-time over every candidate: accumulate without early exit.
+      matched = false
+      signatures.each { |candidate| matched = true if secure_compare(candidate, expected) }
+
+      unless matched
+        raise WebhookVerificationError.new(
+          "No signature in the header matched the computed signature.",
+          :no_match
+        )
+      end
+
+      nil
+    end
+
+    # Verify a delivery and return its parsed body as a {Response}.
+    #
+    # A thin wrapper over {.verify} that parses the JSON only after the signature
+    # checks out.
+    def unwrap(payload, signature_header, secret, tolerance_seconds: DEFAULT_TOLERANCE_SECONDS, now: nil)
+      verify(payload, signature_header, secret, tolerance_seconds: tolerance_seconds, now: now)
+      decoded = JSON.parse(payload)
+      Response.new(decoded.is_a?(Hash) ? decoded : {})
+    end
+
+    def parse_header(header)
+      if header.nil? || header.empty?
+        raise WebhookVerificationError.new("The Anypost-Signature header is empty.", :malformed_header)
+      end
+
+      timestamp = nil
+      signatures = []
+
+      header.split(",").each do |part|
+        key, separator, value = part.partition("=")
+        next if separator.empty?
+
+        key = key.strip
+        value = value.strip
+        if key == "t"
+          timestamp = value.to_i if /\A\d+\z/.match?(value)
+        elsif key == "v1"
+          signatures << value
+        end
+      end
+
+      if timestamp.nil?
+        raise WebhookVerificationError.new("The Anypost-Signature header has no timestamp (t=).", :no_timestamp)
+      end
+      if signatures.empty?
+        raise WebhookVerificationError.new("The Anypost-Signature header has no v1= signature.", :no_signatures)
+      end
+
+      [timestamp, signatures]
+    end
+
+    def secure_compare(left, right)
+      return false unless left.bytesize == right.bytesize
+
+      OpenSSL.fixed_length_secure_compare(left, right)
+    end
+  end
+end

data/lib/anypost.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require_relative "anypost/version"
+require_relative "anypost/errors"
+require_relative "anypost/response"
+require_relative "anypost/page"
+require_relative "anypost/webhook_signature"
+require_relative "anypost/http_client"
+require_relative "anypost/resources/base"
+require_relative "anypost/resources/email"
+require_relative "anypost/resources/domains"
+require_relative "anypost/resources/api_keys"
+require_relative "anypost/resources/templates"
+require_relative "anypost/resources/suppressions"
+require_relative "anypost/resources/webhooks"
+require_relative "anypost/resources/events"
+require_relative "anypost/resources/identity"
+require_relative "anypost/client"
+
+# Official Ruby SDK for the Anypost email API.
+module Anypost
+end

metadata

@@ -0,0 +1,81 @@
+--- !ruby/object:Gem::Specification
+name: anypost
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Anypost
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2026-06-09 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description: Send email, manage domains, templates, webhooks, and suppressions, and
+  read the event stream through the Anypost HTTP API.
+email:
+- support@anypost.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- LICENSE
+- README.md
+- lib/anypost.rb
+- lib/anypost/client.rb
+- lib/anypost/errors.rb
+- lib/anypost/http_client.rb
+- lib/anypost/page.rb
+- lib/anypost/resources/api_keys.rb
+- lib/anypost/resources/base.rb
+- lib/anypost/resources/domains.rb
+- lib/anypost/resources/email.rb
+- lib/anypost/resources/events.rb
+- lib/anypost/resources/identity.rb
+- lib/anypost/resources/suppressions.rb
+- lib/anypost/resources/templates.rb
+- lib/anypost/resources/webhooks.rb
+- lib/anypost/response.rb
+- lib/anypost/version.rb
+- lib/anypost/webhook_signature.rb
+homepage: https://anypost.com
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://anypost.com
+  source_code_uri: https://github.com/anypost/anypost-ruby
+  bug_tracker_uri: https://github.com/anypost/anypost-ruby/issues
+  rubygems_mfa_required: 'true'
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '3.2'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.22
+signing_key:
+specification_version: 4
+summary: Official Ruby SDK for the Anypost email API.
+test_files: []