ebay-notification_api-verifier 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 60cda4b6d6ee107c647cadc62792b4d42bc86ead57fd2882d93bfbfd9959f08a
+  data.tar.gz: cd96e6c6eeedc269db22262b8e972603f91405557b57e0f96123d3f9d521c18e
+SHA512:
+  metadata.gz: 9416110f6d0187dd00ec7e9deca77820ef7dab56791a460ea33eaa89e11d5c6c3402c9d6daff001c23d8dd229ad4d7142cf211bf83c51dc5563d41fe45f1c602
+  data.tar.gz: fb79e686440f7652038795ba9097742d8068853b0eccedef8841d51db6f2bb09b67c5f3b032dad178e20b98820e2cbbadf7e5551dcadf2b9d69850d4307f47e6

data/.github/workflows/rspec.yml

@@ -0,0 +1,23 @@
+name: RSpec
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  rspec:
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+
+    steps:
+    - uses: actions/checkout@v2
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.7
+        bundler-cache: true
+    - name: Run RSpec
+      run: bundle exec rake spec

data/.github/workflows/standard.yml

@@ -0,0 +1,22 @@
+name: Standard
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  standard:
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - uses: ruby/setup-ruby@v1
+      with:
+        ruby-version: 2.7
+        bundler-cache: true
+    - name: Install dependencies
+      run: bundle install --gemfile gemfiles/standard.gemfile
+    - name: Lint Ruby code with Standard
+      run: bundle exec --gemfile gemfiles/standard.gemfile standardrb

data/.gitignore

@@ -0,0 +1,10 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+/bin/
+Gemfile.lock

data/.rubocop.yml

@@ -0,0 +1,6 @@
+require:
+  - standard/cop/semantic_blocks
+  - rubocop-md
+
+inherit_gem:
+  standard: config/base.yml

data/CHANGELOG.md

@@ -0,0 +1,9 @@
+# Change log
+
+## master
+
+## 0.1.0 (2021-04-20)
+
+- Initial version ([@DmitryTsepelev][])
+
+[@DmitryTsepelev]: https://github.com/DmitryTsepelev

data/Gemfile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in ebay-notification_api-verifier.gemspec
+gemspec
+
+gem "rake", "~> 13.0"

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2021 DmitryTsepelev
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,56 @@
+# Ebay::NotificationApi::Verifier
+
+The Ruby implementation of [eBay Notification API verification](https://developer.ebay.com/api-docs/commerce/notification/overview.html#use).
+
+In future it might be used for different cases, but for now eBay requires third–party applications that store user data to implement [eBay Marketplace Account Deletion/Closure Notifications Workflow](https://developer.ebay.com/marketplace-account-deletion). When such HTTP request is received, the backend must ensure, that this request is coming from eBay:
+
+```ruby
+class EbayAccountDeletionController < ApplicationController
+  def account_deletion_notification
+    # eBay wants an immediate response, so we should postpone the deletion
+    EbayAccountDeletionWorker.perform_async(params, request.headers["x-ebay-signature"])
+    head :ok
+  end
+end
+
+class EbayAccountDeletionWorker
+   include Sidekiq::Worker
+
+  def perform(message, signature)
+    return unless Ebay::NotificationApi::Verifier.valid_message?(message, signature)
+
+    # delete data
+  end
+end
+```
+
+⚠️ Heads up! Currently eBay supports only ECDSA/SHA1 encryption, and so does the gem. If something different is passed to the Verifier, the Ebay::NotificationApi::Verifier::WrongAlgorithm would be raised. ⚠️
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'ebay-notification_api-verifier'
+```
+
+Since we have to perform a request to fetch the public key, the ability to get application token should be provided to the verifier. You can pass any callable object:
+
+```ruby
+Ebay::NotificationApi::Verifier.application_token_proc = proc { "token" }
+Ebay::NotificationApi::Verifier.application_token_proc = Ebay::TokenFetcher.fetch
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/dmitrytsepelev/ebay-notification_api-verifier.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
+
+<p align="center">
+  <a href="https://evilmartians.com/?utm_source=ebay-notification_api-verifier">
+    <img src="https://evilmartians.com/badges/sponsored-by-evil-martians.svg" alt="Sponsored by Evil Martians" width="236" height="54">
+  </a>
+</p>

data/Rakefile

@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)

data/ebay-notification_api-verifier.gemspec

@@ -0,0 +1,30 @@
+# frozen_string_literal: true
+
+require_relative "lib/ebay/notification_api/verifier/version"
+
+Gem::Specification.new do |spec|
+  spec.name = "ebay-notification_api-verifier"
+  spec.version = Ebay::NotificationApi::Verifier::VERSION
+  spec.authors = ["DmitryTsepelev"]
+  spec.email = ["dmitry.a.tsepelev@gmail.com"]
+
+  spec.summary = "The Ruby implementation of eBay Notification API verification"
+  spec.description = spec.summary
+  spec.homepage = "https://github.com/DmitryTsepelev/ebay-notification_api-verifier"
+  spec.license = "MIT"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = spec.homepage
+  spec.metadata["changelog_uri"] = "https://github.com/DmitryTsepelev/ebay-notification_api-verifier/blob/main/Rakefile/CHANGELOG.md"
+
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{\A(?:test|spec|features)/}) }
+  end
+
+  spec.require_paths = ["lib"]
+  spec.required_ruby_version = ">= 2.3"
+
+  spec.add_dependency "httparty", "~> 0.17"
+
+  spec.add_development_dependency "rspec", "~> 3.1"
+end

data/gemfiles/standard.gemfile

@@ -0,0 +1,5 @@
+source "https://rubygems.org"
+
+gem "standard", "~> 0.10.0"
+
+gemspec path: "../"

data/lib/ebay/notification_api/verifier.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require_relative "verifier/version"
+require_relative "verifier/message_validator"
+
+module Ebay
+  module NotificationApi
+    module Verifier
+      class WrongAlgorithm < StandardError; end
+
+      class << self
+        def valid_message?(*args)
+          MessageValidator.new(*args).valid_message?
+        end
+
+        def application_token_proc=(value)
+          unless value.respond_to?(:call)
+            raise ArgumentError, "application_token_proc is not a callable object"
+          end
+
+          @application_token_proc = value
+        end
+
+        def application_token
+          raise ArgumentError, "application_token_proc is not configured" unless @application_token_proc
+
+          @application_token_proc.call
+        end
+      end
+    end
+  end
+end

data/lib/ebay/notification_api/verifier/message_validator.rb

@@ -0,0 +1,54 @@
+require "httparty"
+
+module Ebay
+  module NotificationApi
+    module Verifier
+      class MessageValidator
+        class WrongAlgorithm < StandardError; end
+
+        def initialize(message, signature_header)
+          @signature_header = signature_header
+          @message = message
+        end
+
+        def valid_message?
+          verifier = OpenSSL::PKey::EC.new(format_key(public_key_response["key"]))
+          signature_base64 = Base64.decode64(signature_json["signature"])
+          verifier.verify(OpenSSL::Digest.new(DIGEST), signature_base64, @message.to_json)
+        end
+
+        private
+
+        PUBLIC_KEY_ENDPOINT = "https://api.ebay.com/commerce/notification/v1/public_key/"
+        ALGORITHM = "ECDSA"
+        DIGEST = "SHA1"
+
+        def public_key_response
+          @public_key_response ||=
+            begin
+              token = Ebay::NotificationApi::Verifier.application_token
+              headers = {"Authorization" => "Bearer #{token}"}
+              public_key_url = "#{PUBLIC_KEY_ENDPOINT}#{signature_json["kid"]}"
+
+              HTTParty.get(public_key_url, headers: headers).tap do |response|
+                next if response["algorithm"] == ALGORITHM && response["digest"] == DIGEST
+                raise WrongAlgorithm
+              end
+            end
+        end
+
+        KEY_PATTERN_START = "-----BEGIN PUBLIC KEY-----"
+        KEY_PATTERN_END = "-----END PUBLIC KEY-----"
+
+        def format_key(key)
+          key.sub(KEY_PATTERN_START, "#{KEY_PATTERN_START}\n")
+            .sub(KEY_PATTERN_END, "\n#{KEY_PATTERN_END}")
+        end
+
+        def signature_json
+          @signature_json ||= JSON.parse(Base64.decode64(@signature_header))
+        end
+      end
+    end
+  end
+end

data/lib/ebay/notification_api/verifier/version.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Ebay
+  module NotificationApi
+    module Verifier
+      VERSION = "0.1.0"
+    end
+  end
+end

metadata

@@ -0,0 +1,88 @@
+--- !ruby/object:Gem::Specification
+name: ebay-notification_api-verifier
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- DmitryTsepelev
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2021-04-20 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: httparty
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.17'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.17'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+description: The Ruby implementation of eBay Notification API verification
+email:
+- dmitry.a.tsepelev@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".github/workflows/rspec.yml"
+- ".github/workflows/standard.yml"
+- ".gitignore"
+- ".rubocop.yml"
+- CHANGELOG.md
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- ebay-notification_api-verifier.gemspec
+- gemfiles/standard.gemfile
+- lib/ebay/notification_api/verifier.rb
+- lib/ebay/notification_api/verifier/message_validator.rb
+- lib/ebay/notification_api/verifier/version.rb
+homepage: https://github.com/DmitryTsepelev/ebay-notification_api-verifier
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/DmitryTsepelev/ebay-notification_api-verifier
+  source_code_uri: https://github.com/DmitryTsepelev/ebay-notification_api-verifier
+  changelog_uri: https://github.com/DmitryTsepelev/ebay-notification_api-verifier/blob/main/Rakefile/CHANGELOG.md
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '2.3'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.2
+signing_key:
+specification_version: 4
+summary: The Ruby implementation of eBay Notification API verification
+test_files: []