chatwork_webhook_verify 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9a1055ca5bbcbe6d7532aabd3c400770ed6672c3957c9beafa8ec0f799d03200
+  data.tar.gz: a9803300c09d7c8c75d8a09189d9bf92d648b2a78558c0cf952dc2884c3914c9
+SHA512:
+  metadata.gz: afa01d6979dd651823a3181faea3784a07102dabd912d0ec1ed27194e26893bf9a1c7435c972035bb53eb48f39fb47ee57969e36ac96855c2393d08f9c74c66f
+  data.tar.gz: 07c9aafd537388d0a617049d123c95c4265431cd9b1ee766c8aa4bc373616775d53dbe153e56b7cd532759b811f968e793444da060e8d1da1b06b15058712eb0

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2018 sue445
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,79 @@
+# ChatworkWebhookVerify
+Verify ChatWork webhook signature
+
+[![Build Status](https://travis-ci.org/sue445/chatwork_webhook_verify.svg?branch=master)](https://travis-ci.org/sue445/chatwork_webhook_verify)
+[![Maintainability](https://api.codeclimate.com/v1/badges/d7ea5e910c29987c7c0e/maintainability)](https://codeclimate.com/github/sue445/chatwork_webhook_verify/maintainability)
+[![Coverage Status](https://coveralls.io/repos/github/sue445/chatwork_webhook_verify/badge.svg?branch=master)](https://coveralls.io/github/sue445/chatwork_webhook_verify?branch=master)
+[![Dependency Status](https://gemnasium.com/badges/github.com/sue445/chatwork_webhook_verify.svg)](https://gemnasium.com/github.com/sue445/chatwork_webhook_verify)
+
+## Installation
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'chatwork_webhook_verify'
+```
+
+And then execute:
+```bash
+$ bundle
+```
+
+Or install it yourself as:
+```bash
+$ gem install chatwork_webhook_verify
+```
+
+## Basic usage
+```ruby
+ChatworkWebhookVerify.verify?(token: token, body: body, signature: signature)
+#=> true | false
+```
+
+or 
+
+```ruby
+ChatworkWebhookVerify.verify!(token: token, body: body, signature: signature)
+#=> raise ChatworkWebhookVerify::InvalidSignatureError if signature is invalid
+```
+
+* `token` : webhook token (default: `ChatworkWebhookVerify.config.token`)
+  * Either `token` or `ChatworkWebhookVerify.config.token` is required
+* `body` : request body from webhook
+* `signature` : `chatwork_webhook_signature` (query string) or `X-ChatWorkWebhookSignature` (request header)
+
+## for Rails
+call `verify_chatwork_webhook_signature!` in your controller
+
+### Example 1
+
+```ruby
+class WebhookController < ApplicationController
+  # `ChatworkWebhookVerify.config.token` is used
+  before_action :verify_chatwork_webhook_signature!
+end
+```
+
+### Example 2
+
+```ruby
+class WebhookController < ApplicationController
+  before_action :verify_chatwork_webhook_signature_with_own_token!
+  
+  def verify_chatwork_webhook_signature_with_own_token!
+    verify_chatwork_webhook_signature!("another_token")
+  end
+end
+```
+
+## Configuration
+```ruby
+ChatworkWebhookVerify.config.token = ENV["CHATWORK_WEBHOOK_TOKEN"]
+```
+
+* `token` : default webhook token
+
+## Contributing
+Contribution directions go here.
+
+## License
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,19 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'ChatworkWebhookVerify'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+load 'rails/tasks/statistics.rake'
+
+require 'bundler/gem_tasks'

data/lib/chatwork_webhook_verify.rb

@@ -0,0 +1,54 @@
+require "chatwork_webhook_verify/configuration"
+require "chatwork_webhook_verify/railtie" if defined?(Rails)
+
+module ChatworkWebhookVerify
+  require "base64"
+  require "openssl"
+
+  class InvalidSignatureError < StandardError; end
+
+  # Whether signature is valid
+  #
+  # @param token     [String] webhook token (default: `ChatworkWebhookVerify.config.token`)
+  # @param body      [String] request body
+  # @param signature [String] chatwork_webhook_signature or X-ChatWorkWebhookSignature
+  #
+  # @return [Boolean]
+  #
+  # @note Either `token` or `ChatworkWebhookVerify.config.token` is required
+  def self.verify?(token: nil, body:, signature:)
+    token ||= config.token
+
+    raise ArgumentError, "Either token or ChatworkWebhookVerify.config.token is required" if !token || token.empty?
+    raise ArgumentError, "signature is required" if !signature || signature.empty?
+
+    generate_signature(token: token, body: body) == signature
+  end
+
+  # Whether signature is valid
+  #
+  # @param token     [String] webhook token (default: `ChatworkWebhookVerify.config.token`)
+  # @param body      [String] request body
+  # @param signature [String] chatwork_webhook_signature or X-ChatWorkWebhookSignature
+  #
+  # @raise [InvalidSignatureError] signature is invalid
+  #
+  # @note Either `token` or `ChatworkWebhookVerify.config.token` is required
+  def self.verify!(token: nil, body:, signature:)
+    raise InvalidSignatureError unless verify?(token: token, body: body, signature: signature)
+  end
+
+  # @param token [String] webhook token (default: `ChatworkWebhookVerify.config.token`)
+  # @param body  [String] request body
+  #
+  # @return [String]
+  def self.generate_signature(token:, body:)
+    secret_key = Base64.decode64(token)
+    Base64.strict_encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.new("sha256"), secret_key, body))
+  end
+
+  # @return [ChatworkWebhookVerify::Configuration]
+  def self.config
+    @config ||= Configuration.new
+  end
+end

data/lib/chatwork_webhook_verify/configuration.rb

@@ -0,0 +1,6 @@
+module ChatworkWebhookVerify
+  class Configuration
+    # @return [String] default webhook token
+    attr_accessor :token
+  end
+end

data/lib/chatwork_webhook_verify/controller_extension.rb

@@ -0,0 +1,16 @@
+module ChatworkWebhookVerify
+  module ControllerExtension
+    # @param token     [String] webhook token (default: `ChatworkWebhookVerify.config.token`)
+    #
+    # @raise [ActionController::BadRequest] signature is invalid
+    def verify_chatwork_webhook_signature!(token = nil)
+      ChatworkWebhookVerify.verify!(
+        token:     token,
+        body:      request.env["rack.input"].read,
+        signature: request.headers["X-ChatWorkWebhookSignature"] || params[:chatwork_webhook_signature],
+      )
+    rescue ChatworkWebhookVerify::InvalidSignatureError, ::ArgumentError
+      raise ActionController::BadRequest, "signature is invalid"
+    end
+  end
+end

data/lib/chatwork_webhook_verify/railtie.rb

@@ -0,0 +1,10 @@
+module ChatworkWebhookVerify
+  class Railtie < ::Rails::Railtie
+    initializer "chatwork_webhook_verify.controller_extension" do
+      ActiveSupport.on_load(:action_controller) do
+        require "chatwork_webhook_verify/controller_extension"
+        ActionController::Metal.include(ChatworkWebhookVerify::ControllerExtension)
+      end
+    end
+  end
+end

data/lib/chatwork_webhook_verify/version.rb

@@ -0,0 +1,3 @@
+module ChatworkWebhookVerify
+  VERSION = '0.1.0'
+end

data/spec/chatwork_webhook_verify/controller_extension_spec.rb

@@ -0,0 +1,37 @@
+require "rails_helper"
+require "chatwork_webhook_verify/controller_extension"
+
+RSpec.describe ChatworkWebhookVerify::ControllerExtension, type: :request do
+  # NOTE: there are valid
+  let(:token)     { "iY/hmitgwCBlc5DnjAZ8pyRG1HF0zFflfmKmtCDg1wk=" }
+  let(:body)      { '{"webhook_setting_id":"581","webhook_event_type":"mention_to_me","webhook_event_time":1516629767,"webhook_event":{"from_account_id":2861671,"to_account_id":2739132,"room_id":93207172,"message_id":"1007287971738591232","body":"[rp aid=2739132 to=93207172-1007287785163345920] sue445\ntest","send_time":1516629766,"update_time":0}}' }
+  let(:signature) { "NTIUzbXiwLvM7C/MT3Kd75Lw1w2N5tyWtcEieKiqhY0=" }
+
+  describe "#verify_chatwork_webhook_signature!" do
+    subject do
+      post "/webhook", params: body, headers: headers
+      response
+    end
+
+    before do
+      allow(ChatworkWebhookVerify.config).to receive(:token) { token }
+    end
+
+    let(:headers) do
+      {
+        "Content-Type"               => "application/json",
+        "X-ChatWorkWebhookSignature" => signature,
+      }
+    end
+
+    context "with valid signature" do
+      its(:status) { should eq 200 }
+    end
+
+    context "with invalid signature" do
+      let(:signature) { "AAAAAAAAA" }
+
+      it { expect { subject }.to raise_error ActionController::BadRequest }
+    end
+  end
+end

data/spec/chatwork_webhook_verify_spec.rb

@@ -0,0 +1,40 @@
+RSpec.describe ChatworkWebhookVerify do
+  # NOTE: there are valid
+  let(:token)     { "iY/hmitgwCBlc5DnjAZ8pyRG1HF0zFflfmKmtCDg1wk=" }
+  let(:body)      { '{"webhook_setting_id":"581","webhook_event_type":"mention_to_me","webhook_event_time":1516629767,"webhook_event":{"from_account_id":2861671,"to_account_id":2739132,"room_id":93207172,"message_id":"1007287971738591232","body":"[rp aid=2739132 to=93207172-1007287785163345920] sue445\ntest","send_time":1516629766,"update_time":0}}' }
+  let(:signature) { "NTIUzbXiwLvM7C/MT3Kd75Lw1w2N5tyWtcEieKiqhY0=" }
+
+  describe ".verify?" do
+    subject { ChatworkWebhookVerify.verify?(token: token, body: body, signature: signature) }
+
+    context "with valid signature" do
+      it { should eq true }
+    end
+
+    context "with invalid signature" do
+      let(:signature) { "AAAAAAAAA" }
+
+      it { should eq false }
+    end
+  end
+
+  describe ".verify!" do
+    subject { ChatworkWebhookVerify.verify!(token: token, body: body, signature: signature) }
+
+    context "with valid signature" do
+      it { expect { subject }.not_to raise_error }
+    end
+
+    context "with invalid signature" do
+      let(:signature) { "AAAAAAAAA" }
+
+      it { expect { subject }.to raise_error ChatworkWebhookVerify::InvalidSignatureError }
+    end
+  end
+
+  describe ".generate_signature" do
+    subject { ChatworkWebhookVerify.generate_signature(token: token, body: body) }
+
+    it { should eq signature }
+  end
+end

data/spec/dummy/Rakefile

@@ -0,0 +1,6 @@
+# Add your own tasks in files placed in lib/tasks ending in .rake,
+# for example lib/tasks/capistrano.rake, and they will automatically be available to Rake.
+
+require_relative 'config/application'
+
+Rails.application.load_tasks

data/spec/dummy/app/assets/config/manifest.js

@@ -0,0 +1 @@
+//= link_directory ../stylesheets .css

data/spec/dummy/app/assets/javascripts/application.js

@@ -0,0 +1,13 @@
+// This is a manifest file that'll be compiled into application.js, which will include all the files
+// listed below.
+//
+// Any JavaScript/Coffee file within this directory, lib/assets/javascripts, vendor/assets/javascripts,
+// or any plugin's vendor/assets/javascripts directory can be referenced here using a relative path.
+//
+// It's not advisable to add code directly here, but if you do, it'll appear at the bottom of the
+// compiled file. JavaScript code in this file should be added after the last require_* statement.
+//
+// Read Sprockets README (https://github.com/rails/sprockets#sprockets-directives) for details
+// about supported directives.
+//
+//= require_tree .

data/spec/dummy/app/assets/stylesheets/application.css

@@ -0,0 +1,15 @@
+/*
+ * This is a manifest file that'll be compiled into application.css, which will include all the files
+ * listed below.
+ *
+ * Any CSS and SCSS file within this directory, lib/assets/stylesheets, vendor/assets/stylesheets,
+ * or any plugin's vendor/assets/stylesheets directory can be referenced here using a relative path.
+ *
+ * You're free to add application-wide styles to this file and they'll appear at the bottom of the
+ * compiled file so the styles you add here take precedence over styles defined in any other CSS/SCSS
+ * files in this directory. Styles in this file should be added after the last require_* statement.
+ * It is generally better to create a new file per style scope.
+ *
+ *= require_tree .
+ *= require_self
+ */

data/spec/dummy/app/controllers/application_controller.rb

@@ -0,0 +1,2 @@
+class ApplicationController < ActionController::API
+end

data/spec/dummy/app/controllers/webhook_controller.rb

@@ -0,0 +1,7 @@
+class WebhookController < ApplicationController
+  before_action :verify_chatwork_webhook_signature!
+
+  def test
+    render plain: "OK", status: 200
+  end
+end

data/spec/dummy/app/jobs/application_job.rb

@@ -0,0 +1,2 @@
+class ApplicationJob < ActiveJob::Base
+end

data/spec/dummy/bin/bundle

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
+load Gem.bin_path('bundler', 'bundle')

data/spec/dummy/bin/rails

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+APP_PATH = File.expand_path('../config/application', __dir__)
+require_relative '../config/boot'
+require 'rails/commands'

data/spec/dummy/bin/rake

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require_relative '../config/boot'
+require 'rake'
+Rake.application.run

data/spec/dummy/bin/setup

@@ -0,0 +1,25 @@
+#!/usr/bin/env ruby
+require 'fileutils'
+include FileUtils
+
+# path to your application root.
+APP_ROOT = File.expand_path('..', __dir__)
+
+def system!(*args)
+  system(*args) || abort("\n== Command #{args} failed ==")
+end
+
+chdir APP_ROOT do
+  # This script is a starting point to setup your application.
+  # Add necessary setup steps to this file.
+
+  puts '== Installing dependencies =='
+  system! 'gem install bundler --conservative'
+  system('bundle check') || system!('bundle install')
+
+  puts "\n== Removing old logs and tempfiles =="
+  system! 'bin/rails log:clear tmp:clear'
+
+  puts "\n== Restarting application server =="
+  system! 'bin/rails restart'
+end

data/spec/dummy/bin/update

@@ -0,0 +1,25 @@
+#!/usr/bin/env ruby
+require 'fileutils'
+include FileUtils
+
+# path to your application root.
+APP_ROOT = File.expand_path('..', __dir__)
+
+def system!(*args)
+  system(*args) || abort("\n== Command #{args} failed ==")
+end
+
+chdir APP_ROOT do
+  # This script is a way to update your development environment automatically.
+  # Add necessary update steps to this file.
+
+  puts '== Installing dependencies =='
+  system! 'gem install bundler --conservative'
+  system('bundle check') || system!('bundle install')
+
+  puts "\n== Removing old logs and tempfiles =="
+  system! 'bin/rails log:clear tmp:clear'
+
+  puts "\n== Restarting application server =="
+  system! 'bin/rails restart'
+end

data/spec/dummy/config.ru

@@ -0,0 +1,5 @@
+# This file is used by Rack-based servers to start the application.
+
+require_relative 'config/environment'
+
+run Rails.application

data/spec/dummy/config/application.rb

@@ -0,0 +1,35 @@
+require_relative 'boot'
+
+require "rails"
+# Pick the frameworks you want:
+# require "active_model/railtie"
+# require "active_job/railtie"
+# require "active_record/railtie"
+# require "active_storage/engine"
+require "action_controller/railtie"
+# require "action_mailer/railtie"
+# require "action_view/railtie"
+# require "action_cable/engine"
+# require "sprockets/railtie"
+# require "rails/test_unit/railtie"
+
+Bundler.require(*Rails.groups)
+require "chatwork_webhook_verify"
+require "chatwork_webhook_verify/railtie"
+
+module Dummy
+  class Application < Rails::Application
+    # Initialize configuration defaults for originally generated Rails version.
+    # config.load_defaults 5.2
+
+    # Settings in config/environments/* take precedence over those specified here.
+    # Application configuration should go into files in config/initializers
+    # -- all .rb files in that directory are automatically loaded.
+
+    # Only loads a smaller set of middleware suitable for API only apps.
+    # Middleware like session, flash, cookies can be added back manually.
+    # Skip views, helpers and assets when generating a new resource.
+    config.api_only = true
+  end
+end
+