ckeditor-webhook 0.2.1 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ef8f6eb49dfa6e250f101699978f2bf642674e16794fa86fc1085fd4ebd7f95c
-  data.tar.gz: 330faa6171d065e911ecfda3e672e2905ae0ce6120e96d7704f2d2562fd82b9a
+  metadata.gz: 64bbb117f61aef23c585bb7a5df47bc3faa8f7a7b28e69957fbd2610ce32287e
+  data.tar.gz: ba4f9e85a24db7a47e1a1c0aee7d82e2e2559694088bcd8acebcc30d397bcd2f
 SHA512:
-  metadata.gz: e2311ab34648d0469656e4013ff908ae50543441d7934edc34d7eefbe1efb142832a4a8742d7145fe3d7b6f3170775603a3016594a9a71fe9fe17bc4199aaf4e
-  data.tar.gz: db74afea88c2eb14393456f0b91db602790d6069b9a9b9b201cd87c7f3032f8f22a633d3447a4e5853cf9f99e049fdbf82f72267f330b121da7c69d48a120f1f
+  metadata.gz: bf801abff9f8e7ac9b31c40d83ac138685664ad704065175318c7626620b2568b037b72a9c8cd130cc2efbc9df828ab704adc401c0ee603b8c38b2ec0b858caa
+  data.tar.gz: d4e49630392ccd01630405fc9bbe2792dbbc7ba587ece5e4d9e436a585ddd254779ce7acc81e0461502b0d5edf2d4688f38f0e3d22b851d86cc7f4988ccaf863

data/CHANGELOG.md

@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 0.3.0 - 2020-11-09
+
+- Change the `payload` keyword argument to `Ckeditor::Webhook.construct_event` from a `Hash` to a `String`. We can parse the JSON Rather than requiring callers to do so.
+- Change the internals to avoid the `to_json` method. Rails' [ActiveSupport::Hash](https://github.com/rails/activesupport-json_encoder/blob/master/lib/active_support/json/encoding/active_support_encoder.rb) appears to extend `to_json` to encode certain characters in HTML. Since the encoded payload does not equal the original payload, the signature verification fails.
+
 ## 0.2.1 - 2020-10-31
 
 - Remove "?" character from `path` if the URL's query string does not exist. This should fix signature verification errors for URLs without a query string.

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    ckeditor-webhook (0.2.0)
+    ckeditor-webhook (0.3.0)
 
 GEM
   remote: https://rubygems.org/

data/README.md

@@ -29,7 +29,7 @@ $ gem install ckeditor-webhook
 Call `Ckeditor::Webhook::construct_event` with the following keyword arguments to create a verified webhook event (if the webhook is invalid, a `Ckedior::Webhook::SignatureVerificationError` will be raised):
 
 - `secret` (`String`), the CKEditor Cloud Services [API secret](https://ckeditor.com/docs/cs/latest/guides/security/api-secret.html).
-- `payload` (`Hash`), the webhook's payload
+- `payload` (`String`), the webhook's payload
 - `signature` (`String`), the request's `X-CS-Signature` header
 - `timestamp` (`Integer`), the request's `X-CS-Timestamp` header
 - `url` (`String`), the request's url
@@ -41,8 +41,8 @@ For example:
 # Store your CKEditor Cloud Services API key safely.
 secret = "SECRET"
 
-payload = JSON.parse(request.body.read, symbolize_names: true)
-# => { event: "foo", environment_id: "bar", payload: { baz: "qux" }, sent_at: Time.now.utc }
+payload = request.body.read
+# => '{ "event": "foo", "environment_id": "bar", "payload": { baz: "qux" }, "sent_at": Time.now.utc }
 
 url = request.original_url
 # => "http://demo.example.com/webhook?a=1"

data/lib/ckeditor/webhook.rb

@@ -15,7 +15,7 @@ module Ckeditor
       # Returns an Event if the webhook signature is valid.
       #
       # @param  secret     [String]   the CKEditor Cloud Services API secret
-      # @param  payload    [Hash]     the webhook's payload as a hash
+      # @param  payload    [String]   the webhook's string payload
       # @param  signature  [String]   the request's `X-CS-Signature` header
       # @param  timestamp  [Integer]  the request's `X-CS-Timestamp` header
       # @param  method     [String]   the request's method (defaults to "POST")
@@ -30,7 +30,7 @@ module Ckeditor
 
         raise SignatureVerificationError if signature != message_signature(message: event, secret: secret)
 
-        Event.new(payload)
+        Event.new(parse_payload(payload))
       end
 
       private
@@ -42,7 +42,7 @@ module Ckeditor
         uri    = URI.parse(url)
         path   = uri.path + (uri.query.nil? ? "" : "?#{uri.query}" )
         method = method.upcase
-        body   = payload.to_json
+        body   = sanitize_payload(payload)
 
         "#{method}#{path}#{timestamp}#{body}"
       end
@@ -54,6 +54,31 @@ module Ckeditor
           message
         )
       end
+
+      # Returns the string payload as a Hash with symbol keys.
+      #
+      # @return  [Hash]
+      # @raise   JSON::ParserError  if JSON is invalid
+      def parse_payload(payload)
+        JSON.parse(payload, symbolize_names: true)
+      end
+
+      # Returns the string payload... as a string.
+      #
+      #   1. I remove any whitespace. The signature is generated from JSON
+      #      without whitespace (e.g., '{"a":"ba"}'). Any unexpected spaces
+      #      (e.g., '{ "a": "b" }') will cause a signature verification failure.
+      #
+      #   2. I avoid the `to_json` method. Rails ActiveSupport extends the
+      #      method to encode HTML entities. For example, the "<" character is
+      #      encoded to "\u003c"). The encoded payload does not match the
+      #      original payload and will cause a signature verification failure.
+      #
+      # @return  [String]
+      # @raise   JSON::ParserError  if JSON is invalid
+      def sanitize_payload(payload)
+        JSON.generate(JSON.parse(payload))
+      end
     end
   end
 end

data/lib/ckeditor/webhook/version.rb

@@ -1,5 +1,5 @@
 module Ckeditor
   module Webhook
-    VERSION = "0.2.1"
+    VERSION = "0.3.0"
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ckeditor-webhook
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.3.0
 platform: ruby
 authors:
 - Jack Clayton
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2020-10-31 00:00:00.000000000 Z
+date: 2020-11-08 00:00:00.000000000 Z
 dependencies: []
 description: 
 email: