doorflow 1.0.0 → 1.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f030947a7aa52576b9c64f55b185c888d43ff51c7257099a74db36608d2c14d3
-  data.tar.gz: 94aba11ea4616046c3e92d8a0bc6a71f61e2dc22ef3d229d5de07a3ff5c1aff3
+  metadata.gz: 958e972d5b704e9dc612689508b92b2f889cd658db9987e12e073017a70a6942
+  data.tar.gz: c6aaa00b0644899890276825dbaca7022ee22ab92a1a70f35fb901ea9f07291f
 SHA512:
-  metadata.gz: f1793b621c409beca25bf87f90ff5246c3e1930219f75e57a503d873bf720f00c73e5b46f84c39ae498702a23de3d931c4d652e325a8d5134b410df55e9fcecc
-  data.tar.gz: a6488799e13203486b693ab13087489fedd35e998671133e5cb2956a761ede1f616bfe60a152493aa9f400135728e8929e517ac2d726c6cd9076d627f26dd7a6
+  metadata.gz: 6ab31e49a003ed6217abad77bb8084ec214f3f3bb75ab2fbbd2f508f67ebaeddfc37933049fc4baa62680ad3f8fd54f90b2343bc82952aa12ac434b343ad8331
+  data.tar.gz: 22a30992a4455c7743d63fda56169e9867b9c339be4abd190d8ebda48d6624d542d2191c63c6c41196474e5768629d93bf1669b96a80a6f5bb2986e61a06f0c1

data/README.md

@@ -285,8 +285,8 @@ class WebhooksController < ApplicationController
   def create
     handler.handle(
       payload: request.raw_post,
-      signature: request.headers['X-DoorFlow-Signature'],
-      timestamp: request.headers['X-DoorFlow-Timestamp']
+      signature: request.headers['Signature'],
+      timestamp: request.headers['Timestamp']
     )
     head :ok
   rescue DoorFlow::Webhooks::SignatureError

data/lib/doorflow/client/credentials_proxy.rb

@@ -35,10 +35,11 @@ module DoorFlow
       end
 
       # Retrieve a credential by ID
+      # @param person_id [Integer] Person ID (required by the API)
       # @param id [String, Integer] Credential ID
       # @return [DoorFlow::Resources::Credential]
-      def retrieve(id)
-        response = client.credentials_api.get_credential(id)
+      def retrieve(person_id, id)
+        response = client.credentials_api.get_credential(person_id, id)
         to_resource(response, Resources::Credential)
       end
 
@@ -56,14 +57,10 @@ module DoorFlow
 
       # Delete a credential
       # @param id [String, Integer] Credential ID
-      # @param person_id [String, Integer, nil] Person ID (may be required by API)
+      # @param person_id [Integer] Person ID (required by the API)
       # @return [Boolean] true if successful
-      def delete(id, person_id: nil)
-        if person_id
-          client.credentials_api.delete_credential(person_id, id)
-        else
-          client.credentials_api.delete_credential(id)
-        end
+      def delete(id, person_id:)
+        client.credentials_api.delete_credential(person_id, id)
         true
       rescue => e
         false

data/lib/doorflow/client/element_sessions_proxy.rb

@@ -0,0 +1,91 @@
+module DoorFlow
+  class Client
+    # Base proxy for Element Sessions — handles the HTTP call
+    #
+    # @api private
+    class ElementSessionsProxy < ResourceProxy
+      def create_session(widget_type:, member:, credentials: nil)
+        params = {
+          widget_type: widget_type,
+          member: {
+            external_id: member[:external_id],
+            name:        member[:name],
+            email:       member[:email]
+          }
+        }
+        params[:credentials] = credentials if credentials
+        response = post("/api/3/element_sessions", params)
+        to_resource(response, Resources::ElementSession)
+      end
+
+      private
+
+      def post(path, params)
+        api_client = client.send(:api_client)
+        config = api_client.config
+
+        url = "#{config.scheme}://#{config.host}#{path}"
+        token = client.access_token
+
+        conn = Faraday.new do |f|
+          f.request :json
+          f.response :json, parser_options: { symbolize_names: true }
+          f.adapter Faraday.default_adapter
+        end
+
+        response = conn.post(url) do |req|
+          req.headers["Authorization"] = "Bearer #{token}"
+          req.headers["Content-Type"] = "application/json"
+          req.body = params.to_json
+        end
+
+        unless response.success?
+          raise DoorFlow::ApiError.new(
+            code: response.status,
+            response_body: response.body
+          ), "Element session creation failed (#{response.status})"
+        end
+
+        response.body
+      end
+    end
+
+    # Proxy for creating admin widget sessions
+    #
+    # @example
+    #   session = client.admin_sessions.create(
+    #     member: {
+    #       external_id: "usr_123",
+    #       name: "Alice Anderson",
+    #       email: "alice@example.com"
+    #     },
+    #     credentials: ["mobile_access", "pin"]
+    #   )
+    #   session.token      #=> "eyJhbGciOiJIUzI1NiJ9..."
+    #   session.expires_in  #=> 900
+    class AdminSessionsProxy < ElementSessionsProxy
+      def create(member:, credentials: nil)
+        create_session(widget_type: "admin", member: member, credentials: credentials)
+      end
+    end
+
+    # Proxy for creating member widget sessions
+    #
+    # @example
+    #   session = client.member_sessions.create(
+    #     member: {
+    #       external_id: "usr_123",
+    #       name: "Alice Anderson",
+    #       email: "alice@example.com"
+    #     },
+    #     credentials: ["mobile_access", "pin"]
+    #   )
+    #   session.token      #=> "eyJhbGciOiJIUzI1NiJ9..."
+    #   session.expires_in  #=> 900
+    class MemberSessionsProxy < ElementSessionsProxy
+      def create(member:, credentials: nil)
+        create_session(widget_type: "member", member: member, credentials: credentials)
+      end
+    end
+  end
+end

data/lib/doorflow/client.rb

@@ -129,6 +129,18 @@ module DoorFlow
       @account ||= AccountProxy.new(self)
     end
 
+    # Access admin widget sessions
+    # @return [DoorFlow::Client::AdminSessionsProxy] admin sessions resource proxy
+    def admin_sessions
+      @admin_sessions ||= AdminSessionsProxy.new(self)
+    end
+
+    # Access member widget sessions
+    # @return [DoorFlow::Client::MemberSessionsProxy] member sessions resource proxy
+    def member_sessions
+      @member_sessions ||= MemberSessionsProxy.new(self)
+    end
+
     # ============================================
     # Low-level API accessors (for advanced use)
     # ============================================
@@ -261,3 +273,4 @@ require_relative 'client/reservations_proxy'
 require_relative 'client/group_reservations_proxy'
 require_relative 'client/notification_rules_proxy'
 require_relative 'client/account_proxy'
+require_relative 'client/element_sessions_proxy'

data/lib/doorflow/errors/doorflow_error.rb

@@ -52,7 +52,7 @@ module DoorFlow
       # Format error for display
       # @return [String]
       def to_s
-        parts = [message]
+        parts = [super]
         parts << "HTTP #{status}" if status
         parts << "Code: #{code}" if code
         parts << "Request ID: #{request_id}" if request_id

data/lib/doorflow/resources/credential.rb

@@ -27,10 +27,11 @@ module DoorFlow
     end
 
     # Retrieve a credential by ID
+    # @param person_id [Integer] person ID (required by the API)
     # @param id [String] credential ID
     # @return [DoorFlow::Credential] the credential
-    def self.retrieve(id)
-      response = client.credentials_api.get_credential(id)
+    def self.retrieve(person_id, id)
+      response = client.credentials_api.get_credential(person_id, id)
       from_api_model(response)
     end
 
@@ -63,7 +64,7 @@ module DoorFlow
     # Delete this credential
     # @return [Boolean] true if successful
     def delete
-      _client.credentials_api.delete_credential(@id)
+      _client.credentials_api.delete_credential(@person_id, @id)
       true
     rescue
       false

data/lib/doorflow/resources/element_session.rb

@@ -0,0 +1,28 @@
+module DoorFlow
+  module Resources
+    # Represents a DoorFlow Elements session token
+    #
+    # Element sessions provide short-lived JWT tokens for embedding
+    # DoorFlow widgets (admin or member) in your application via iframes.
+    #
+    # @example Create an admin session
+    #   client = DoorFlow::Client.new(access_token: 'your_token')
+    #   session = client.element_sessions.create(
+    #     person_id: 123,
+    #     widget_type: 'admin'
+    #   )
+    #   session.token      #=> "eyJhbGciOiJIUzI1NiJ9..."
+    #   session.expires_in  #=> 900
+    class ElementSession < Resource
+      # @return [String] the JWT session token
+      def token
+        @attributes[:token]
+      end
+
+      # @return [Integer] seconds until the token expires
+      def expires_in
+        @attributes[:expires_in]
+      end
+    end
+  end
+end

data/lib/doorflow/webhooks/handler.rb

@@ -27,8 +27,8 @@ module DoorFlow
     #   # In your controller:
     #   handler.handle(
     #     payload: request.raw_post,
-    #     signature: request.headers['X-DoorFlow-Signature'],
-    #     timestamp: request.headers['X-DoorFlow-Timestamp']
+    #     signature: request.headers['Signature'],
+    #     timestamp: request.headers['Timestamp']
     #   )
     #
     # @example With auto-fetch
@@ -82,8 +82,8 @@ module DoorFlow
       # Process an incoming webhook request
       #
       # @param payload [String] Raw request body
-      # @param signature [String] X-DoorFlow-Signature header
-      # @param timestamp [String] X-DoorFlow-Timestamp header
+      # @param signature [String] Signature header
+      # @param timestamp [String] Timestamp header
       # @return [Array<Event>] Processed events
       # @raise [SignatureError] If signature verification fails
       def handle(payload:, signature:, timestamp:)
@@ -108,8 +108,8 @@ module DoorFlow
       def handle_request(request)
         handle(
           payload: extract_body(request),
-          signature: extract_header(request, 'X-DoorFlow-Signature'),
-          timestamp: extract_header(request, 'X-DoorFlow-Timestamp')
+          signature: extract_header(request, 'Signature'),
+          timestamp: extract_header(request, 'Timestamp')
         )
       end
 

data/lib/doorflow/webhooks/signature_verifier.rb

@@ -20,8 +20,8 @@ module DoorFlow
     # @example Verifying a webhook
     #   events = DoorFlow::Webhooks::SignatureVerifier.verify(
     #     payload: request.raw_post,
-    #     signature: request.headers['X-DoorFlow-Signature'],
-    #     timestamp: request.headers['X-DoorFlow-Timestamp'],
+    #     signature: request.headers['Signature'],
+    #     timestamp: request.headers['Timestamp'],
     #     secret: ENV['DOORFLOW_WEBHOOK_SECRET']
     #   )
     #
@@ -36,8 +36,8 @@ module DoorFlow
         # Verify webhook signature and parse events
         #
         # @param payload [String] Raw request body
-        # @param signature [String] X-DoorFlow-Signature header value
-        # @param timestamp [String] X-DoorFlow-Timestamp header value
+        # @param signature [String] Signature header value
+        # @param timestamp [String] Timestamp header value
         # @param secret [String] Webhook secret from DoorFlow dashboard
         # @param tolerance [Integer] Maximum age in seconds (0 to disable)
         # @return [Array<Event>] Parsed webhook events
@@ -109,7 +109,10 @@ module DoorFlow
 
         def parse_events(payload)
           data = JSON.parse(payload, symbolize_names: true)
-          events = data[:events] || []
+          events = case data
+                   when Array then data
+                   else data[:events] || [data]
+                   end
           events.map { |e| Event.new(e) }
         rescue JSON::ParserError => e
           raise SignatureError.new("Invalid JSON payload: #{e.message}")

data/lib/doorflow-api/version.rb

@@ -11,5 +11,5 @@ Generator version: 7.18.0-SNAPSHOT
 =end
 
 module DoorFlow
-  VERSION = '1.0.0'
+  VERSION = '1.0.1'
 end

data/lib/doorflow.rb

@@ -28,6 +28,7 @@ require 'doorflow/resources/person'
 require 'doorflow/resources/reservation'
 require 'doorflow/resources/role'
 require 'doorflow/resources/site'
+require 'doorflow/resources/element_session'
 
 # DoorFlow Ruby SDK for access control and door management
 #

data/spec/doorflow/webhooks/event_spec.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe DoorFlow::Webhooks::Event do
+  let(:event_data) do
+    {
+      action: 'CREATE',
+      resource: 'https://api.doorflow.com/api/v1/accounts/1/events/42',
+      resource_type: 'Event',
+      resource_id: 42,
+      account_id: 1,
+      ack_token: 'abc123'
+    }
+  end
+
+  subject(:event) { described_class.new(event_data) }
+
+  describe '#initialize' do
+    it 'sets all attributes from the data hash' do
+      expect(event.action).to eq('CREATE')
+      expect(event.resource_url).to eq('https://api.doorflow.com/api/v1/accounts/1/events/42')
+      expect(event.resource_type).to eq('Event')
+      expect(event.resource_id).to eq('42')
+      expect(event.account_id).to eq(1)
+      expect(event.ack_token).to eq('abc123')
+    end
+
+    it 'converts resource_id to string' do
+      expect(event.resource_id).to be_a(String)
+    end
+
+    it 'handles nil resource_id' do
+      data = event_data.merge(resource_id: nil)
+      event = described_class.new(data)
+      expect(event.resource_id).to be_nil
+    end
+  end
+
+  describe '#pattern' do
+    it 'returns ResourceType.ACTION format' do
+      expect(event.pattern).to eq('Event.CREATE')
+    end
+
+    it 'handles different resource types' do
+      data = event_data.merge(resource_type: 'PersonCredential', action: 'UPDATE')
+      event = described_class.new(data)
+      expect(event.pattern).to eq('PersonCredential.UPDATE')
+    end
+  end
+
+  describe '#create?' do
+    it 'returns true for CREATE action' do
+      expect(event.create?).to be true
+    end
+
+    it 'returns false for other actions' do
+      data = event_data.merge(action: 'DELETE')
+      expect(described_class.new(data).create?).to be false
+    end
+  end
+
+  describe '#update?' do
+    it 'returns true for UPDATE action' do
+      data = event_data.merge(action: 'UPDATE')
+      expect(described_class.new(data).update?).to be true
+    end
+
+    it 'returns false for other actions' do
+      expect(event.update?).to be false
+    end
+  end
+
+  describe '#delete?' do
+    it 'returns true for DELETE action' do
+      data = event_data.merge(action: 'DELETE')
+      expect(described_class.new(data).delete?).to be true
+    end
+
+    it 'returns false for other actions' do
+      expect(event.delete?).to be false
+    end
+  end
+
+  describe '#to_h' do
+    it 'returns a hash with all attributes' do
+      expected = {
+        action: 'CREATE',
+        resource: 'https://api.doorflow.com/api/v1/accounts/1/events/42',
+        resource_type: 'Event',
+        resource_id: '42',
+        account_id: 1,
+        ack_token: 'abc123'
+      }
+      expect(event.to_h).to eq(expected)
+    end
+
+    it 'round-trips through Event.new' do
+      reconstructed = described_class.new(event.to_h)
+      expect(reconstructed.to_h).to eq(event.to_h)
+    end
+  end
+
+  describe '#to_s' do
+    it 'includes pattern and resource_id' do
+      expect(event.to_s).to eq('Event.CREATE (42)')
+    end
+  end
+
+  describe '#inspect' do
+    it 'includes class name, pattern, and resource_id' do
+      expect(event.inspect).to include('DoorFlow::Webhooks::Event')
+      expect(event.inspect).to include('Event.CREATE')
+      expect(event.inspect).to include('42')
+    end
+  end
+end

data/spec/doorflow/webhooks/handler_spec.rb

@@ -0,0 +1,154 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require_relative 'support'
+
+RSpec.describe DoorFlow::Webhooks::Handler do
+  include WebhookSpecSupport
+
+  let(:secret) { WebhookSpecSupport::WEBHOOK_SECRET }
+  let(:timestamp) { Time.now.to_i.to_s }
+  let(:event_hash) { WebhookSpecSupport::SAMPLE_EVENT_HASH }
+  let(:payload) { JSON.generate([event_hash]) }
+
+  let(:signature) { compute_signature(timestamp, payload, secret) }
+
+  subject(:handler) { described_class.new(secret: secret) }
+
+  describe '#on' do
+    it 'returns self for method chaining' do
+      result = handler.on('Event.CREATE') { |e| }
+      expect(result).to be(handler)
+    end
+
+    it 'supports chained registrations' do
+      result = handler
+        .on('Event.CREATE') { |e| }
+        .on('Person.UPDATE') { |e| }
+        .on('*') { |e| }
+
+      expect(result).to be(handler)
+    end
+
+    it 'raises ArgumentError without a block' do
+      expect { handler.on('Event.CREATE') }.to raise_error(ArgumentError, /Block required/)
+    end
+  end
+
+  describe '#handle' do
+    it 'dispatches events to matching handlers' do
+      received = []
+      handler.on('Event.CREATE') { |event| received << event }
+
+      handler.handle(payload: payload, signature: signature, timestamp: timestamp)
+
+      expect(received.length).to eq(1)
+      expect(received.first.pattern).to eq('Event.CREATE')
+    end
+
+    it 'does not dispatch to non-matching handlers' do
+      received = []
+      handler.on('Person.UPDATE') { |event| received << event }
+
+      handler.handle(payload: payload, signature: signature, timestamp: timestamp)
+
+      expect(received).to be_empty
+    end
+
+    it 'dispatches to wildcard handler' do
+      received = []
+      handler.on('*') { |event| received << event }
+
+      handler.handle(payload: payload, signature: signature, timestamp: timestamp)
+
+      expect(received.length).to eq(1)
+    end
+
+    it 'dispatches to resource wildcard handler' do
+      received = []
+      handler.on('Event.*') { |event| received << event }
+
+      handler.handle(payload: payload, signature: signature, timestamp: timestamp)
+
+      expect(received.length).to eq(1)
+    end
+
+    it 'does not match wrong resource wildcard' do
+      received = []
+      handler.on('Person.*') { |event| received << event }
+
+      handler.handle(payload: payload, signature: signature, timestamp: timestamp)
+
+      expect(received).to be_empty
+    end
+
+    it 'dispatches to multiple matching handlers' do
+      exact = []
+      wildcard = []
+      handler.on('Event.CREATE') { |event| exact << event }
+      handler.on('*') { |event| wildcard << event }
+
+      handler.handle(payload: payload, signature: signature, timestamp: timestamp)
+
+      expect(exact.length).to eq(1)
+      expect(wildcard.length).to eq(1)
+    end
+
+    it 'returns the parsed events' do
+      events = handler.handle(payload: payload, signature: signature, timestamp: timestamp)
+
+      expect(events).to be_an(Array)
+      expect(events.length).to eq(1)
+      expect(events.first).to be_a(DoorFlow::Webhooks::Event)
+    end
+  end
+
+  describe '#handle_request' do
+    context 'with a Rails-style request' do
+      it 'extracts Signature and Timestamp headers' do
+        headers = {
+          'Signature' => signature,
+          'Timestamp' => timestamp
+        }
+        request = double('rails_request',
+          raw_post: payload,
+          headers: headers
+        )
+
+        received = []
+        handler.on('Event.CREATE') { |event| received << event }
+        handler.handle_request(request)
+
+        expect(received.length).to eq(1)
+        expect(received.first.pattern).to eq('Event.CREATE')
+      end
+    end
+
+    context 'with a Rack-style request' do
+      it 'extracts headers from the env hash' do
+        body = double('body')
+        allow(body).to receive(:read).and_return(payload)
+
+        request = double('rack_request',
+          body: body,
+          env: {
+            'HTTP_SIGNATURE' => signature,
+            'HTTP_TIMESTAMP' => timestamp
+          }
+        )
+        # Rack request doesn't respond to raw_post or headers
+        allow(request).to receive(:respond_to?).with(:raw_post).and_return(false)
+        allow(request).to receive(:respond_to?).with(:body).and_return(true)
+        allow(request).to receive(:respond_to?).with(:headers).and_return(false)
+        allow(request).to receive(:respond_to?).with(:env).and_return(true)
+
+        received = []
+        handler.on('Event.CREATE') { |event| received << event }
+        handler.handle_request(request)
+
+        expect(received.length).to eq(1)
+        expect(received.first.pattern).to eq('Event.CREATE')
+      end
+    end
+  end
+end

data/spec/doorflow/webhooks/signature_verifier_spec.rb

@@ -0,0 +1,210 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require_relative 'support'
+
+RSpec.describe DoorFlow::Webhooks::SignatureVerifier do
+  include WebhookSpecSupport
+
+  let(:secret) { WebhookSpecSupport::WEBHOOK_SECRET }
+  let(:timestamp) { Time.now.to_i.to_s }
+  let(:event_hash) { WebhookSpecSupport::SAMPLE_EVENT_HASH }
+
+  describe '.verify' do
+    context 'with a root-level array payload (documented format)' do
+      let(:payload) { JSON.generate([event_hash]) }
+      let(:signature) { compute_signature(timestamp, payload, secret) }
+
+      it 'returns an array of Event objects' do
+        events = described_class.verify(
+          payload: payload,
+          signature: signature,
+          timestamp: timestamp,
+          secret: secret
+        )
+
+        expect(events).to be_an(Array)
+        expect(events.length).to eq(1)
+        expect(events.first).to be_a(DoorFlow::Webhooks::Event)
+        expect(events.first.resource_type).to eq('Event')
+        expect(events.first.action).to eq('CREATE')
+      end
+    end
+
+    context 'with multiple events in an array' do
+      let(:second_event) do
+        {
+          action: 'UPDATE',
+          resource: 'https://api.doorflow.com/api/v1/accounts/1/people/99',
+          resource_type: 'Person',
+          resource_id: 99,
+          account_id: 1,
+          ack_token: 'def456'
+        }
+      end
+      let(:payload) { JSON.generate([event_hash, second_event]) }
+      let(:signature) { compute_signature(timestamp, payload, secret) }
+
+      it 'returns all events' do
+        events = described_class.verify(
+          payload: payload,
+          signature: signature,
+          timestamp: timestamp,
+          secret: secret
+        )
+
+        expect(events.length).to eq(2)
+        expect(events[0].pattern).to eq('Event.CREATE')
+        expect(events[1].pattern).to eq('Person.UPDATE')
+      end
+    end
+
+    context 'with a single event object payload' do
+      let(:payload) { JSON.generate(event_hash) }
+      let(:signature) { compute_signature(timestamp, payload, secret) }
+
+      it 'wraps the single event in an array' do
+        events = described_class.verify(
+          payload: payload,
+          signature: signature,
+          timestamp: timestamp,
+          secret: secret
+        )
+
+        expect(events.length).to eq(1)
+        expect(events.first.pattern).to eq('Event.CREATE')
+      end
+    end
+
+    context 'with an events-key payload (backwards compat)' do
+      let(:payload) { JSON.generate({ events: [event_hash] }) }
+      let(:signature) { compute_signature(timestamp, payload, secret) }
+
+      it 'extracts events from the events key' do
+        events = described_class.verify(
+          payload: payload,
+          signature: signature,
+          timestamp: timestamp,
+          secret: secret
+        )
+
+        expect(events.length).to eq(1)
+        expect(events.first.pattern).to eq('Event.CREATE')
+      end
+    end
+
+    context 'with an invalid signature' do
+      let(:payload) { JSON.generate([event_hash]) }
+
+      it 'raises SignatureError' do
+        expect {
+          described_class.verify(
+            payload: payload,
+            signature: 'invalid_signature_value',
+            timestamp: timestamp,
+            secret: secret
+          )
+        }.to raise_error(DoorFlow::Webhooks::SignatureError, /Signature mismatch/)
+      end
+    end
+
+    context 'with an expired timestamp' do
+      let(:old_timestamp) { (Time.now.to_i - 600).to_s }
+      let(:payload) { JSON.generate([event_hash]) }
+      let(:signature) { compute_signature(old_timestamp, payload, secret) }
+
+      it 'raises SignatureError' do
+        expect {
+          described_class.verify(
+            payload: payload,
+            signature: signature,
+            timestamp: old_timestamp,
+            secret: secret
+          )
+        }.to raise_error(DoorFlow::Webhooks::SignatureError, /too old/)
+      end
+    end
+
+    context 'with tolerance disabled' do
+      let(:old_timestamp) { (Time.now.to_i - 600).to_s }
+      let(:payload) { JSON.generate([event_hash]) }
+      let(:signature) { compute_signature(old_timestamp, payload, secret) }
+
+      it 'does not check timestamp' do
+        events = described_class.verify(
+          payload: payload,
+          signature: signature,
+          timestamp: old_timestamp,
+          secret: secret,
+          tolerance: 0
+        )
+
+        expect(events.length).to eq(1)
+      end
+    end
+
+    context 'with missing inputs' do
+      let(:payload) { JSON.generate([event_hash]) }
+      let(:signature) { compute_signature(timestamp, payload, secret) }
+
+      it 'raises SignatureError for missing payload' do
+        expect {
+          described_class.verify(payload: nil, signature: signature, timestamp: timestamp, secret: secret)
+        }.to raise_error(DoorFlow::Webhooks::SignatureError, /Missing payload/)
+      end
+
+      it 'raises SignatureError for empty payload' do
+        expect {
+          described_class.verify(payload: '', signature: signature, timestamp: timestamp, secret: secret)
+        }.to raise_error(DoorFlow::Webhooks::SignatureError, /Missing payload/)
+      end
+
+      it 'raises SignatureError for missing signature' do
+        expect {
+          described_class.verify(payload: payload, signature: nil, timestamp: timestamp, secret: secret)
+        }.to raise_error(DoorFlow::Webhooks::SignatureError, /Missing signature/)
+      end
+
+      it 'raises SignatureError for missing timestamp' do
+        expect {
+          described_class.verify(payload: payload, signature: signature, timestamp: nil, secret: secret)
+        }.to raise_error(DoorFlow::Webhooks::SignatureError, /Missing timestamp/)
+      end
+
+      it 'raises SignatureError for missing secret' do
+        expect {
+          described_class.verify(payload: payload, signature: signature, timestamp: timestamp, secret: nil)
+        }.to raise_error(DoorFlow::Webhooks::SignatureError, /Missing secret/)
+      end
+    end
+
+    context 'with malformed JSON' do
+      let(:payload) { 'not valid json{{{' }
+      let(:signature) { compute_signature(timestamp, payload, secret) }
+
+      it 'raises SignatureError' do
+        expect {
+          described_class.verify(
+            payload: payload,
+            signature: signature,
+            timestamp: timestamp,
+            secret: secret
+          )
+        }.to raise_error(DoorFlow::Webhooks::SignatureError, /Invalid JSON/)
+      end
+    end
+  end
+
+  describe '.compute_signature' do
+    it 'returns a hex-encoded HMAC-SHA256 digest' do
+      sig = described_class.compute_signature('12345', '{"test":true}', 'secret')
+      expect(sig).to match(/\A[a-f0-9]{64}\z/)
+    end
+
+    it 'uses timestamp.payload format' do
+      expected = OpenSSL::HMAC.hexdigest('SHA256', 'secret', '12345.{"test":true}')
+      sig = described_class.compute_signature('12345', '{"test":true}', 'secret')
+      expect(sig).to eq(expected)
+    end
+  end
+end

data/spec/doorflow/webhooks/support.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module WebhookSpecSupport
+  WEBHOOK_SECRET = 'whsec_test_secret_key'
+
+  SAMPLE_EVENT_HASH = {
+    action: 'CREATE',
+    resource: 'https://api.doorflow.com/api/v1/accounts/1/events/42',
+    resource_type: 'Event',
+    resource_id: 42,
+    account_id: 1,
+    ack_token: 'abc123'
+  }.freeze
+
+  def compute_signature(timestamp, payload, secret)
+    OpenSSL::HMAC.hexdigest('SHA256', secret, "#{timestamp}.#{payload}")
+  end
+end

data/spec/resources/credential_bugs_spec.rb

@@ -0,0 +1,115 @@
+require 'spec_helper'
+
+# Regression specs for bugs reported by William:
+#   - retrieve and delete were calling get_credential / delete_credential
+#     with only (id), omitting the required person_id argument.
+#   - CredentialsProxy#delete had a dead else-branch that always failed silently.
+RSpec.describe 'Credential person_id argument fixes' do
+  let(:person_id)     { 456 }
+  let(:credential_id) { 'abc123' }
+
+  let(:credential_response) do
+    double('CredentialResponse',
+      to_hash: { 'id' => credential_id, 'person_id' => person_id,
+                 'credential_type_id' => 1, 'label' => 'Card' }
+    )
+  end
+
+  let(:mock_credentials_api) { double('CredentialsApi') }
+  let(:mock_client)           { double('Client', credentials_api: mock_credentials_api) }
+
+  # ──────────────────────────────────────────────────────────────────────────────
+  # DoorFlow::Resources::Credential.retrieve
+  # ──────────────────────────────────────────────────────────────────────────────
+  describe 'DoorFlow::Resources::Credential.retrieve' do
+    before { allow(DoorFlow::Resources::Credential).to receive(:client).and_return(mock_client) }
+
+    it 'passes person_id and id to get_credential' do
+      expect(mock_credentials_api).to receive(:get_credential)
+        .with(person_id, credential_id)
+        .and_return(credential_response)
+
+      DoorFlow::Resources::Credential.retrieve(person_id, credential_id)
+    end
+
+    it 'returns a Credential resource' do
+      allow(mock_credentials_api).to receive(:get_credential)
+        .with(person_id, credential_id)
+        .and_return(credential_response)
+
+      result = DoorFlow::Resources::Credential.retrieve(person_id, credential_id)
+      expect(result).to be_a(DoorFlow::Resources::Credential)
+    end
+  end
+
+  # ──────────────────────────────────────────────────────────────────────────────
+  # DoorFlow::Resources::Credential#delete
+  # ──────────────────────────────────────────────────────────────────────────────
+  describe 'DoorFlow::Resources::Credential#delete' do
+    let(:credential) do
+      DoorFlow::Resources::Credential.new(
+        { 'id' => credential_id, 'person_id' => person_id },
+        client: mock_client
+      )
+    end
+
+    it 'passes person_id and id to delete_credential' do
+      expect(mock_credentials_api).to receive(:delete_credential)
+        .with(person_id, credential_id)
+        .and_return(nil)
+
+      credential.delete
+    end
+
+    it 'returns true on success' do
+      allow(mock_credentials_api).to receive(:delete_credential)
+        .with(person_id, credential_id)
+        .and_return(nil)
+
+      expect(credential.delete).to eq(true)
+    end
+  end
+
+  # ──────────────────────────────────────────────────────────────────────────────
+  # DoorFlow::Client::CredentialsProxy#retrieve
+  # ──────────────────────────────────────────────────────────────────────────────
+  describe 'DoorFlow::Client::CredentialsProxy#retrieve' do
+    let(:proxy) { DoorFlow::Client::CredentialsProxy.new(mock_client) }
+
+    it 'passes person_id and id to get_credential' do
+      expect(mock_credentials_api).to receive(:get_credential)
+        .with(person_id, credential_id)
+        .and_return(credential_response)
+
+      proxy.retrieve(person_id, credential_id)
+    end
+
+    it 'returns a Credential resource' do
+      allow(mock_credentials_api).to receive(:get_credential)
+        .with(person_id, credential_id)
+        .and_return(credential_response)
+
+      result = proxy.retrieve(person_id, credential_id)
+      expect(result).to be_a(DoorFlow::Resources::Credential)
+    end
+  end
+
+  # ──────────────────────────────────────────────────────────────────────────────
+  # DoorFlow::Client::CredentialsProxy#delete
+  # ──────────────────────────────────────────────────────────────────────────────
+  describe 'DoorFlow::Client::CredentialsProxy#delete' do
+    let(:proxy) { DoorFlow::Client::CredentialsProxy.new(mock_client) }
+
+    it 'passes person_id and id to delete_credential and returns true' do
+      expect(mock_credentials_api).to receive(:delete_credential)
+        .with(person_id, credential_id)
+        .and_return(nil)
+
+      expect(proxy.delete(credential_id, person_id: person_id)).to eq(true)
+    end
+
+    it 'raises ArgumentError when person_id is not supplied' do
+      expect { proxy.delete(credential_id) }.to raise_error(ArgumentError)
+    end
+  end
+end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: doorflow
 version: !ruby/object:Gem::Version
-  version: 1.0.0
+  version: 1.0.1
 platform: ruby
 authors:
 - NetNodes Ltd
 bindir: bin
 cert_chain: []
-date: 2026-02-05 00:00:00.000000000 Z
+date: 2026-02-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -282,6 +282,7 @@ files:
 - lib/doorflow/client/channels_proxy.rb
 - lib/doorflow/client/credential_types_proxy.rb
 - lib/doorflow/client/credentials_proxy.rb
+- lib/doorflow/client/element_sessions_proxy.rb
 - lib/doorflow/client/events_proxy.rb
 - lib/doorflow/client/group_reservations_proxy.rb
 - lib/doorflow/client/groups_proxy.rb
@@ -305,6 +306,7 @@ files:
 - lib/doorflow/resources/channel.rb
 - lib/doorflow/resources/credential.rb
 - lib/doorflow/resources/credential_type.rb
+- lib/doorflow/resources/element_session.rb
 - lib/doorflow/resources/event.rb
 - lib/doorflow/resources/group.rb
 - lib/doorflow/resources/group_reservation.rb
@@ -323,6 +325,10 @@ files:
 - spec/api/group_reservations_api_spec.rb
 - spec/api/oauth_api_spec.rb
 - spec/doorflow/client_spec.rb
+- spec/doorflow/webhooks/event_spec.rb
+- spec/doorflow/webhooks/handler_spec.rb
+- spec/doorflow/webhooks/signature_verifier_spec.rb
+- spec/doorflow/webhooks/support.rb
 - spec/doorflow_spec.rb
 - spec/fixtures/vcr_cassettes/channel/list.yml
 - spec/fixtures/vcr_cassettes/channel/retrieve.yml
@@ -390,6 +396,7 @@ files:
 - spec/models/revoke_token403_response_spec.rb
 - spec/models/site_site_ips_inner_spec.rb
 - spec/models/unlock_channel_request_spec.rb
+- spec/resources/credential_bugs_spec.rb
 - spec/spec_helper.rb
 homepage: https://www.doorflow.com
 licenses:
@@ -425,6 +432,10 @@ test_files:
 - spec/api/group_reservations_api_spec.rb
 - spec/api/oauth_api_spec.rb
 - spec/doorflow/client_spec.rb
+- spec/doorflow/webhooks/event_spec.rb
+- spec/doorflow/webhooks/handler_spec.rb
+- spec/doorflow/webhooks/signature_verifier_spec.rb
+- spec/doorflow/webhooks/support.rb
 - spec/doorflow_spec.rb
 - spec/fixtures/vcr_cassettes/channel/list.yml
 - spec/fixtures/vcr_cassettes/channel/retrieve.yml
@@ -492,4 +503,5 @@ test_files:
 - spec/models/revoke_token403_response_spec.rb
 - spec/models/site_site_ips_inner_spec.rb
 - spec/models/unlock_channel_request_spec.rb
+- spec/resources/credential_bugs_spec.rb
 - spec/spec_helper.rb