flow_chat 0.4.1 → 0.5.1

data/lib/flow_chat/whatsapp/client.rb

@@ -7,8 +7,6 @@ require "securerandom"
 module FlowChat
   module Whatsapp
     class Client
-      WHATSAPP_API_URL = "https://graph.facebook.com/v18.0"
-
       def initialize(config)
         @config = config
       end
@@ -23,7 +21,7 @@ module FlowChat
       end
 
       # Send a text message
-      # @param to [String] Phone number in E.164 format  
+      # @param to [String] Phone number in E.164 format
       # @param text [String] Message text
       # @return [Hash] API response or nil on error
       def send_text(to, text)
@@ -36,7 +34,7 @@ module FlowChat
       # @param buttons [Array] Array of button hashes with :id and :title
       # @return [Hash] API response or nil on error
       def send_buttons(to, text, buttons)
-        send_message(to, [:interactive_buttons, text, { buttons: buttons }])
+        send_message(to, [:interactive_buttons, text, {buttons: buttons}])
       end
 
       # Send interactive list
@@ -46,7 +44,7 @@ module FlowChat
       # @param button_text [String] Button text (default: "Choose")
       # @return [Hash] API response or nil on error
       def send_list(to, text, sections, button_text = "Choose")
-        send_message(to, [:interactive_list, text, { sections: sections, button_text: button_text }])
+        send_message(to, [:interactive_list, text, {sections: sections, button_text: button_text}])
       end
 
       # Send a template message
@@ -56,10 +54,10 @@ module FlowChat
       # @param language [String] Language code (default: "en_US")
       # @return [Hash] API response or nil on error
       def send_template(to, template_name, components = [], language = "en_US")
-        send_message(to, [:template, "", { 
-          template_name: template_name, 
-          components: components, 
-          language: language 
+        send_message(to, [:template, "", {
+          template_name: template_name,
+          components: components,
+          language: language
         }])
       end
 
@@ -121,12 +119,12 @@ module FlowChat
       # @raise [StandardError] If upload fails
       def upload_media(file_path_or_io, mime_type, filename = nil)
         raise ArgumentError, "mime_type is required" if mime_type.nil? || mime_type.empty?
-        
+
         if file_path_or_io.is_a?(String)
           # File path
           raise ArgumentError, "File not found: #{file_path_or_io}" unless File.exist?(file_path_or_io)
           filename ||= File.basename(file_path_or_io)
-          file = File.open(file_path_or_io, 'rb')
+          file = File.open(file_path_or_io, "rb")
         else
           # IO object
           file = file_path_or_io
@@ -134,30 +132,30 @@ module FlowChat
         end
 
         # Upload directly via HTTP
-        uri = URI("#{WHATSAPP_API_URL}/#{@config.phone_number_id}/media")
+        uri = URI("#{FlowChat::Config.whatsapp.api_base_url}/#{@config.phone_number_id}/media")
         http = Net::HTTP.new(uri.host, uri.port)
         http.use_ssl = true
 
         # Prepare multipart form data
         boundary = "----WebKitFormBoundary#{SecureRandom.hex(16)}"
-        
+
         form_data = []
         form_data << "--#{boundary}"
         form_data << 'Content-Disposition: form-data; name="messaging_product"'
         form_data << ""
         form_data << "whatsapp"
-        
+
         form_data << "--#{boundary}"
         form_data << "Content-Disposition: form-data; name=\"file\"; filename=\"#{filename}\""
         form_data << "Content-Type: #{mime_type}"
         form_data << ""
         form_data << file.read
-        
+
         form_data << "--#{boundary}"
         form_data << 'Content-Disposition: form-data; name="type"'
         form_data << ""
         form_data << mime_type
-        
+
         form_data << "--#{boundary}--"
 
         body = form_data.join("\r\n")
@@ -168,14 +166,10 @@ module FlowChat
         request.body = body
 
         response = http.request(request)
-        
+
         if response.is_a?(Net::HTTPSuccess)
           data = JSON.parse(response.body)
-          if data['id']
-            data['id']
-          else
-            raise StandardError, "Failed to upload media: #{data}"
-          end
+          data["id"] || raise(StandardError, "Failed to upload media: #{data}")
         else
           Rails.logger.error "WhatsApp Media Upload error: #{response.body}"
           raise StandardError, "Media upload failed: #{response.body}"
@@ -195,7 +189,7 @@ module FlowChat
             messaging_product: "whatsapp",
             to: to,
             type: "text",
-            text: { body: content }
+            text: {body: content}
           }
         when :interactive_buttons
           {
@@ -204,7 +198,7 @@ module FlowChat
             type: "interactive",
             interactive: {
               type: "button",
-              body: { text: content },
+              body: {text: content},
               action: {
                 buttons: options[:buttons].map.with_index do |button, index|
                   {
@@ -225,7 +219,7 @@ module FlowChat
             type: "interactive",
             interactive: {
               type: "list",
-              body: { text: content },
+              body: {text: content},
               action: {
                 button: options[:button_text] || "Choose",
                 sections: options[:sections]
@@ -239,7 +233,7 @@ module FlowChat
             type: "template",
             template: {
               name: options[:template_name],
-              language: { code: options[:language] || "en_US" },
+              language: {code: options[:language] || "en_US"},
               components: options[:components] || []
             }
           }
@@ -284,7 +278,7 @@ module FlowChat
             messaging_product: "whatsapp",
             to: to,
             type: "text",
-            text: { body: content.to_s }
+            text: {body: content.to_s}
           }
         end
       end
@@ -293,7 +287,7 @@ module FlowChat
       # @param media_id [String] Media ID from WhatsApp
       # @return [String] Media URL or nil on error
       def get_media_url(media_id)
-        uri = URI("#{WHATSAPP_API_URL}/#{media_id}")
+        uri = URI("#{FlowChat::Config.whatsapp.api_base_url}/#{media_id}")
         http = Net::HTTP.new(uri.host, uri.port)
         http.use_ssl = true
 
@@ -301,7 +295,7 @@ module FlowChat
         request["Authorization"] = "Bearer #{@config.access_token}"
 
         response = http.request(request)
-        
+
         if response.is_a?(Net::HTTPSuccess)
           data = JSON.parse(response.body)
           data["url"]
@@ -326,7 +320,7 @@ module FlowChat
         request["Authorization"] = "Bearer #{@config.access_token}"
 
         response = http.request(request)
-        
+
         if response.is_a?(Net::HTTPSuccess)
           response.body
         else
@@ -337,15 +331,15 @@ module FlowChat
 
       # Get MIME type from URL without downloading (HEAD request)
       def get_media_mime_type(url)
-        require 'net/http'
-        
+        require "net/http"
+
         uri = URI(url)
         http = Net::HTTP.new(uri.host, uri.port)
-        http.use_ssl = (uri.scheme == 'https')
-        
+        http.use_ssl = (uri.scheme == "https")
+
         # Use HEAD request to get headers without downloading content
         response = http.head(uri.path)
-        response['content-type']
+        response["content-type"]
       rescue => e
         Rails.logger.warn "Could not detect MIME type for #{url}: #{e.message}"
         nil
@@ -358,7 +352,7 @@ module FlowChat
       # @return [Hash] Media object for WhatsApp API
       def build_media_object(options)
         media_obj = {}
-        
+
         # Handle URL or ID
         if options[:url]
           # Use URL directly
@@ -367,17 +361,17 @@ module FlowChat
           # Use provided media ID directly
           media_obj[:id] = options[:id]
         end
-        
+
         # Add optional fields
         media_obj[:caption] = options[:caption] if options[:caption]
         media_obj[:filename] = options[:filename] if options[:filename]
-        
+
         media_obj
       end
 
       # Check if input is a URL or file path/media ID
       def url?(input)
-        input.to_s.start_with?('http://', 'https://')
+        input.to_s.start_with?("http://", "https://")
       end
 
       # Extract filename from URL
@@ -393,7 +387,7 @@ module FlowChat
       # @param message_data [Hash] Message payload
       # @return [Hash] API response or nil on error
       def send_message_payload(message_data)
-        uri = URI("#{WHATSAPP_API_URL}/#{@config.phone_number_id}/messages")
+        uri = URI("#{FlowChat::Config.whatsapp.api_base_url}/#{@config.phone_number_id}/messages")
         http = Net::HTTP.new(uri.host, uri.port)
         http.use_ssl = true
 
@@ -403,7 +397,7 @@ module FlowChat
         request.body = message_data.to_json
 
         response = http.request(request)
-        
+
         if response.is_a?(Net::HTTPSuccess)
           JSON.parse(response.body)
         else
@@ -414,21 +408,21 @@ module FlowChat
 
       def send_media_message(to, media_type, url_or_id, caption: nil, filename: nil, mime_type: nil)
         media_object = if url?(url_or_id)
-                         { link: url_or_id }
-                       else
-                         { id: url_or_id }
-                       end
+          {link: url_or_id}
+        else
+          {id: url_or_id}
+        end
 
         # Add caption if provided (stickers don't support captions)
         media_object[:caption] = caption if caption && media_type != :sticker
-        
+
         # Add filename for documents
         media_object[:filename] = filename if filename && media_type == :document
 
         message = {
-          messaging_product: "whatsapp",
-          to: to,
-          type: media_type.to_s,
+          :messaging_product => "whatsapp",
+          :to => to,
+          :type => media_type.to_s,
           media_type.to_s => media_object
         }
 
@@ -436,4 +430,4 @@ module FlowChat
       end
     end
   end
-end 
+end

data/lib/flow_chat/whatsapp/configuration.rb

@@ -2,7 +2,7 @@ module FlowChat
   module Whatsapp
     class Configuration
       attr_accessor :access_token, :phone_number_id, :verify_token, :app_id, :app_secret,
-                    :webhook_url, :webhook_verify_token, :business_account_id, :name
+        :webhook_verify_token, :business_account_id, :name, :skip_signature_validation
 
       # Class-level storage for named configurations
       @@configurations = {}
@@ -14,9 +14,9 @@ module FlowChat
         @verify_token = nil
         @app_id = nil
         @app_secret = nil
-        @webhook_url = nil
         @webhook_verify_token = nil
         @business_account_id = nil
+        @skip_signature_validation = false
 
         register_as(name) if name.present?
       end
@@ -24,7 +24,7 @@ module FlowChat
       # Load configuration from Rails credentials or environment variables
       def self.from_credentials
         config = new(nil)
-        
+
         if defined?(Rails) && Rails.application.credentials.whatsapp
           credentials = Rails.application.credentials.whatsapp
           config.access_token = credentials[:access_token]
@@ -32,17 +32,17 @@ module FlowChat
           config.verify_token = credentials[:verify_token]
           config.app_id = credentials[:app_id]
           config.app_secret = credentials[:app_secret]
-          config.webhook_url = credentials[:webhook_url]
           config.business_account_id = credentials[:business_account_id]
+          config.skip_signature_validation = credentials[:skip_signature_validation] || false
         else
           # Fallback to environment variables
-          config.access_token = ENV['WHATSAPP_ACCESS_TOKEN']
-          config.phone_number_id = ENV['WHATSAPP_PHONE_NUMBER_ID']
-          config.verify_token = ENV['WHATSAPP_VERIFY_TOKEN']
-          config.app_id = ENV['WHATSAPP_APP_ID']
-          config.app_secret = ENV['WHATSAPP_APP_SECRET']
-          config.webhook_url = ENV['WHATSAPP_WEBHOOK_URL']
-          config.business_account_id = ENV['WHATSAPP_BUSINESS_ACCOUNT_ID']
+          config.access_token = ENV["WHATSAPP_ACCESS_TOKEN"]
+          config.phone_number_id = ENV["WHATSAPP_PHONE_NUMBER_ID"]
+          config.verify_token = ENV["WHATSAPP_VERIFY_TOKEN"]
+          config.app_id = ENV["WHATSAPP_APP_ID"]
+          config.app_secret = ENV["WHATSAPP_APP_SECRET"]
+          config.business_account_id = ENV["WHATSAPP_BUSINESS_ACCOUNT_ID"]
+          config.skip_signature_validation = ENV["WHATSAPP_SKIP_SIGNATURE_VALIDATION"] == "true"
         end
 
         config
@@ -81,24 +81,25 @@ module FlowChat
       end
 
       def valid?
-        access_token.present? && phone_number_id.present? && verify_token.present?
-      end
-
-      def webhook_configured?
-        webhook_url.present? && verify_token.present?
+        access_token && !access_token.to_s.empty? && phone_number_id && !phone_number_id.to_s.empty? && verify_token && !verify_token.to_s.empty?
       end
 
       # API endpoints
       def messages_url
-        "https://graph.facebook.com/v18.0/#{phone_number_id}/messages"
+        "#{FlowChat::Config.whatsapp.api_base_url}/#{phone_number_id}/messages"
       end
 
       def media_url(media_id)
-        "https://graph.facebook.com/v18.0/#{media_id}"
+        "#{FlowChat::Config.whatsapp.api_base_url}/#{media_id}"
       end
 
       def phone_numbers_url
-        "https://graph.facebook.com/v18.0/#{business_account_id}/phone_numbers"
+        "#{FlowChat::Config.whatsapp.api_base_url}/#{business_account_id}/phone_numbers"
+      end
+
+      # Get API base URL from global config
+      def api_base_url
+        FlowChat::Config.whatsapp.api_base_url
       end
 
       # Headers for API requests
@@ -110,4 +111,4 @@ module FlowChat
       end
     end
   end
-end 
+end

data/lib/flow_chat/whatsapp/gateway/cloud_api.rb

@@ -1,13 +1,15 @@
 require "net/http"
 require "json"
 require "phonelib"
+require "openssl"
 
 module FlowChat
   module Whatsapp
+    # Configuration-related errors
+    class ConfigurationError < StandardError; end
+
     module Gateway
       class CloudApi
-        WHATSAPP_API_URL = "https://graph.facebook.com/v18.0"
-
         def initialize(app, config = nil)
           @app = app
           @config = config || FlowChat::Whatsapp::Configuration.from_credentials
@@ -32,15 +34,13 @@ module FlowChat
         end
 
         # Expose client for out-of-band messaging
-        def client
-          @client
-        end
+        attr_reader :client
 
         private
 
         def determine_message_handler(context)
-          # Check for simulator parameter in request (highest priority)
-          if context["simulator_mode"] || context.controller.request.params["simulator_mode"]
+          # Check if simulator mode was already detected and set in context
+          if context["simulator_mode"]
             return :simulator
           end
 
@@ -53,7 +53,7 @@ module FlowChat
           params = controller.request.params
 
           verify_token = @config.verify_token
-          
+
           if params["hub.verify_token"] == verify_token
             controller.render plain: params["hub.challenge"]
           else
@@ -63,15 +63,30 @@ module FlowChat
 
         def handle_webhook(context)
           controller = context.controller
-          body = JSON.parse(controller.request.body.read)
-
-          # Check for simulator mode parameter in request
-          if body.dig("simulator_mode") || controller.request.params["simulator_mode"]
+          
+          # Parse body
+          begin
+            parse_request_body(controller.request)
+          rescue JSON::ParserError => e
+            Rails.logger.warn "Failed to parse webhook body: #{e.message}"
+            return controller.head :bad_request
+          end
+          
+          # Check for simulator mode parameter in request (before validation)
+          # But only enable if valid simulator token is provided
+          is_simulator_mode = simulate?(context)
+          if is_simulator_mode
             context["simulator_mode"] = true
           end
 
+          # Validate webhook signature for security (skip for simulator mode)
+          unless is_simulator_mode || valid_webhook_signature?(controller.request)
+            Rails.logger.warn "Invalid webhook signature received"
+            return controller.head :unauthorized
+          end
+
           # Extract message data from WhatsApp webhook
-          entry = body.dig("entry", 0)
+          entry = @body.dig("entry", 0)
           return controller.head :ok unless entry
 
           changes = entry.dig("changes", 0)
@@ -118,6 +133,57 @@ module FlowChat
           controller.head :ok
         end
 
+        # Validate webhook signature to ensure request comes from WhatsApp
+        def valid_webhook_signature?(request)
+          # Check if signature validation is explicitly disabled
+          if @config.skip_signature_validation
+            return true
+          end
+
+          # Require app_secret for signature validation
+          unless @config.app_secret && !@config.app_secret.empty?
+            raise FlowChat::Whatsapp::ConfigurationError, 
+              "WhatsApp app_secret is required for webhook signature validation. " \
+              "Either configure app_secret or set skip_signature_validation=true to explicitly disable validation."
+          end
+
+          signature_header = request.headers["X-Hub-Signature-256"]
+          return false unless signature_header
+
+          # Extract signature from header (format: "sha256=<signature>")
+          expected_signature = signature_header.sub("sha256=", "")
+
+          # Get raw request body
+          request.body.rewind
+          body = request.body.read
+          request.body.rewind
+
+          # Calculate HMAC signature
+          calculated_signature = OpenSSL::HMAC.hexdigest(
+            OpenSSL::Digest.new("sha256"),
+            @config.app_secret,
+            body
+          )
+
+          # Compare signatures using secure comparison to prevent timing attacks
+          secure_compare(expected_signature, calculated_signature)
+        rescue FlowChat::Whatsapp::ConfigurationError
+          raise
+        rescue => e
+          Rails.logger.error "Error validating webhook signature: #{e.message}"
+          false
+        end
+
+        # Secure string comparison to prevent timing attacks
+        def secure_compare(a, b)
+          return false unless a.bytesize == b.bytesize
+
+          l = a.unpack("C*")
+          res = 0
+          b.each_byte { |byte| res |= byte ^ l.shift }
+          res == 0
+        end
+
         def extract_message_content(message, context)
           case message["type"]
           when "text"
@@ -159,7 +225,7 @@ module FlowChat
         def handle_message_background(context, controller)
           # Process the flow synchronously (maintaining controller context)
           response = @app.call(context)
-          
+
           if response
             # Queue only the response delivery asynchronously
             send_data = {
@@ -170,7 +236,7 @@ module FlowChat
 
             # Get job class from configuration
             job_class_name = FlowChat::Config.whatsapp.background_job_class
-            
+
             # Enqueue background job for sending only
             begin
               job_class = job_class_name.constantize
@@ -186,12 +252,12 @@ module FlowChat
 
         def handle_message_simulator(context, controller)
           response = @app.call(context)
-          
+
           if response
             # For simulator mode, return the response data in the HTTP response
             # instead of actually sending via WhatsApp API
             message_payload = @client.build_message_payload(response, context["request.msisdn"])
-            
+
             simulator_response = {
               mode: "simulator",
               webhook_processed: true,
@@ -204,10 +270,54 @@ module FlowChat
             }
 
             controller.render json: simulator_response
-            return
+            nil
+          end
+        end
+
+        def simulate?(context)
+          # Check if simulator mode is enabled for this processor
+          return false unless context["enable_simulator"]
+          
+          # Then check if simulator mode is requested and valid
+          @body.dig("simulator_mode") && valid_simulator_cookie?(context)
+        end
+
+        def valid_simulator_cookie?(context)
+          simulator_secret = FlowChat::Config.simulator_secret
+          return false unless simulator_secret && !simulator_secret.empty?
+          
+          # Check for simulator cookie
+          request = context.controller.request
+          simulator_cookie = request.cookies["flowchat_simulator"]
+          return false unless simulator_cookie
+          
+          # Verify the cookie is a valid HMAC signature
+          # Cookie format: "timestamp:signature" where signature = HMAC(simulator_secret, "simulator:timestamp")
+          begin
+            timestamp_str, signature = simulator_cookie.split(":", 2)
+            return false unless timestamp_str && signature
+            
+            # Check timestamp is recent (within 24 hours for reasonable session duration)
+            timestamp = timestamp_str.to_i
+            return false if timestamp <= 0
+            return false if (Time.now.to_i - timestamp).abs > 86400 # 24 hours
+            
+            # Calculate expected signature
+            message = "simulator:#{timestamp_str}"
+            expected_signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha256"), simulator_secret, message)
+            
+            # Use secure comparison
+            secure_compare(signature, expected_signature)
+          rescue => e
+            Rails.logger.warn "Invalid simulator cookie format: #{e.message}"
+            false
           end
         end
+
+        def parse_request_body(request)
+          @body ||= JSON.parse(request.body.read)
+        end
       end
     end
   end
-end 
+end

data/lib/flow_chat/whatsapp/middleware/executor.rb

@@ -27,4 +27,4 @@ module FlowChat
       end
     end
   end
-end 
+end

data/lib/flow_chat/whatsapp/processor.rb

@@ -23,4 +23,4 @@ module FlowChat
       end
     end
   end
-end 
+end