ckeditor-webhook 0.2.1 → 0.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/Gemfile.lock +1 -1
- data/README.md +3 -3
- data/lib/ckeditor/webhook.rb +28 -3
- data/lib/ckeditor/webhook/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 64bbb117f61aef23c585bb7a5df47bc3faa8f7a7b28e69957fbd2610ce32287e
|
4
|
+
data.tar.gz: ba4f9e85a24db7a47e1a1c0aee7d82e2e2559694088bcd8acebcc30d397bcd2f
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bf801abff9f8e7ac9b31c40d83ac138685664ad704065175318c7626620b2568b037b72a9c8cd130cc2efbc9df828ab704adc401c0ee603b8c38b2ec0b858caa
|
7
|
+
data.tar.gz: d4e49630392ccd01630405fc9bbe2792dbbc7ba587ece5e4d9e436a585ddd254779ce7acc81e0461502b0d5edf2d4688f38f0e3d22b851d86cc7f4988ccaf863
|
data/CHANGELOG.md
CHANGED
@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
7
7
|
|
8
|
+
## 0.3.0 - 2020-11-09
|
9
|
+
|
10
|
+
- Change the `payload` keyword argument to `Ckeditor::Webhook.construct_event` from a `Hash` to a `String`. We can parse the JSON Rather than requiring callers to do so.
|
11
|
+
- Change the internals to avoid the `to_json` method. Rails' [ActiveSupport::Hash](https://github.com/rails/activesupport-json_encoder/blob/master/lib/active_support/json/encoding/active_support_encoder.rb) appears to extend `to_json` to encode certain characters in HTML. Since the encoded payload does not equal the original payload, the signature verification fails.
|
12
|
+
|
8
13
|
## 0.2.1 - 2020-10-31
|
9
14
|
|
10
15
|
- Remove "?" character from `path` if the URL's query string does not exist. This should fix signature verification errors for URLs without a query string.
|
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
@@ -29,7 +29,7 @@ $ gem install ckeditor-webhook
|
|
29
29
|
Call `Ckeditor::Webhook::construct_event` with the following keyword arguments to create a verified webhook event (if the webhook is invalid, a `Ckedior::Webhook::SignatureVerificationError` will be raised):
|
30
30
|
|
31
31
|
- `secret` (`String`), the CKEditor Cloud Services [API secret](https://ckeditor.com/docs/cs/latest/guides/security/api-secret.html).
|
32
|
-
- `payload` (`
|
32
|
+
- `payload` (`String`), the webhook's payload
|
33
33
|
- `signature` (`String`), the request's `X-CS-Signature` header
|
34
34
|
- `timestamp` (`Integer`), the request's `X-CS-Timestamp` header
|
35
35
|
- `url` (`String`), the request's url
|
@@ -41,8 +41,8 @@ For example:
|
|
41
41
|
# Store your CKEditor Cloud Services API key safely.
|
42
42
|
secret = "SECRET"
|
43
43
|
|
44
|
-
payload =
|
45
|
-
# => { event: "foo", environment_id: "bar", payload: { baz: "qux" }, sent_at: Time.now.utc }
|
44
|
+
payload = request.body.read
|
45
|
+
# => '{ "event": "foo", "environment_id": "bar", "payload": { baz: "qux" }, "sent_at": Time.now.utc }
|
46
46
|
|
47
47
|
url = request.original_url
|
48
48
|
# => "http://demo.example.com/webhook?a=1"
|
data/lib/ckeditor/webhook.rb
CHANGED
@@ -15,7 +15,7 @@ module Ckeditor
|
|
15
15
|
# Returns an Event if the webhook signature is valid.
|
16
16
|
#
|
17
17
|
# @param secret [String] the CKEditor Cloud Services API secret
|
18
|
-
# @param payload [
|
18
|
+
# @param payload [String] the webhook's string payload
|
19
19
|
# @param signature [String] the request's `X-CS-Signature` header
|
20
20
|
# @param timestamp [Integer] the request's `X-CS-Timestamp` header
|
21
21
|
# @param method [String] the request's method (defaults to "POST")
|
@@ -30,7 +30,7 @@ module Ckeditor
|
|
30
30
|
|
31
31
|
raise SignatureVerificationError if signature != message_signature(message: event, secret: secret)
|
32
32
|
|
33
|
-
Event.new(payload)
|
33
|
+
Event.new(parse_payload(payload))
|
34
34
|
end
|
35
35
|
|
36
36
|
private
|
@@ -42,7 +42,7 @@ module Ckeditor
|
|
42
42
|
uri = URI.parse(url)
|
43
43
|
path = uri.path + (uri.query.nil? ? "" : "?#{uri.query}" )
|
44
44
|
method = method.upcase
|
45
|
-
body = payload
|
45
|
+
body = sanitize_payload(payload)
|
46
46
|
|
47
47
|
"#{method}#{path}#{timestamp}#{body}"
|
48
48
|
end
|
@@ -54,6 +54,31 @@ module Ckeditor
|
|
54
54
|
message
|
55
55
|
)
|
56
56
|
end
|
57
|
+
|
58
|
+
# Returns the string payload as a Hash with symbol keys.
|
59
|
+
#
|
60
|
+
# @return [Hash]
|
61
|
+
# @raise JSON::ParserError if JSON is invalid
|
62
|
+
def parse_payload(payload)
|
63
|
+
JSON.parse(payload, symbolize_names: true)
|
64
|
+
end
|
65
|
+
|
66
|
+
# Returns the string payload... as a string.
|
67
|
+
#
|
68
|
+
# 1. I remove any whitespace. The signature is generated from JSON
|
69
|
+
# without whitespace (e.g., '{"a":"ba"}'). Any unexpected spaces
|
70
|
+
# (e.g., '{ "a": "b" }') will cause a signature verification failure.
|
71
|
+
#
|
72
|
+
# 2. I avoid the `to_json` method. Rails ActiveSupport extends the
|
73
|
+
# method to encode HTML entities. For example, the "<" character is
|
74
|
+
# encoded to "\u003c"). The encoded payload does not match the
|
75
|
+
# original payload and will cause a signature verification failure.
|
76
|
+
#
|
77
|
+
# @return [String]
|
78
|
+
# @raise JSON::ParserError if JSON is invalid
|
79
|
+
def sanitize_payload(payload)
|
80
|
+
JSON.generate(JSON.parse(payload))
|
81
|
+
end
|
57
82
|
end
|
58
83
|
end
|
59
84
|
end
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: ckeditor-webhook
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Jack Clayton
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2020-
|
11
|
+
date: 2020-11-08 00:00:00.000000000 Z
|
12
12
|
dependencies: []
|
13
13
|
description:
|
14
14
|
email:
|