line-bot-api 2.2.0 → 2.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/lib/line/bot/v2/webhook_parser.rb +24 -5
- data/lib/line/bot/version.rb +1 -1
- data/sig/line/bot/v2/webhook_parser.rbs +4 -3
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 32bc05debf174d2fd40d7fe9b39eca826829773b732cd622b75025c8119806ef
|
|
4
|
+
data.tar.gz: 2755c22b1b43d31e3747f0523996b6ce2591e731b0b87e2b0a493c5697eec8a4
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: '06943b31d09d0a9833316c30b35711a66be1446c529a254b2a230ca05758b2e1402fd79986a6c1d3226adb9f58d6ebccb6c68953ff41f765529edfcd2c0e871d'
|
|
7
|
+
data.tar.gz: 50faa1171d680adabd94ffa8d610d05105082ee8d866fe63da04ecd1100131b3d0d95d6a2b603d505ba69eeefa0994d4c39fbbbe9d460520851aaa9f09113239
|
|
@@ -11,8 +11,20 @@ module Line
|
|
|
11
11
|
class WebhookParser
|
|
12
12
|
class InvalidSignatureError < StandardError; end
|
|
13
13
|
|
|
14
|
-
|
|
14
|
+
# Initialize webhook parser
|
|
15
|
+
#
|
|
16
|
+
# @param channel_secret [String]
|
|
17
|
+
# The channel secret used for signature verification.
|
|
18
|
+
# @param skip_signature_verification [() -> bool, nil]
|
|
19
|
+
# A callable object with type `() -> bool` that determines whether to skip
|
|
20
|
+
# webhook signature verification. Signature verification is skipped if and
|
|
21
|
+
# only if this callable is provided and returns `true`.
|
|
22
|
+
# This can be useful in scenarios such as when you're in the process of
|
|
23
|
+
# updating the channel secret and need to temporarily bypass verification
|
|
24
|
+
# to avoid disruptions.
|
|
25
|
+
def initialize(channel_secret:, skip_signature_verification: nil)
|
|
15
26
|
@channel_secret = channel_secret
|
|
27
|
+
@skip_signature_verification = skip_signature_verification
|
|
16
28
|
end
|
|
17
29
|
|
|
18
30
|
# Parse events from the raw request body and validate the signature.
|
|
@@ -31,7 +43,10 @@ module Line
|
|
|
31
43
|
#
|
|
32
44
|
# @example Sinatra usage
|
|
33
45
|
# def parser
|
|
34
|
-
# @parser ||= Line::Bot::V2::WebhookParser.new(
|
|
46
|
+
# @parser ||= Line::Bot::V2::WebhookParser.new(
|
|
47
|
+
# channel_secret: ENV.fetch("LINE_CHANNEL_SECRET"),
|
|
48
|
+
# skip_signature_verification: -> { ENV['SKIP_SIGNATURE_VERIFICATION'] == 'true' }
|
|
49
|
+
# )
|
|
35
50
|
# end
|
|
36
51
|
#
|
|
37
52
|
# post '/callback' do
|
|
@@ -54,7 +69,11 @@ module Line
|
|
|
54
69
|
# "OK"
|
|
55
70
|
# end
|
|
56
71
|
def parse(body:, signature:)
|
|
57
|
-
|
|
72
|
+
should_skip = @skip_signature_verification&.call || false
|
|
73
|
+
|
|
74
|
+
unless should_skip == true || verify_signature(body: body, signature: signature)
|
|
75
|
+
raise InvalidSignatureError.new("Invalid signature: #{signature}")
|
|
76
|
+
end
|
|
58
77
|
|
|
59
78
|
data = JSON.parse(body.chomp, symbolize_names: true)
|
|
60
79
|
data = Line::Bot::V2::Utils.deep_underscore(data)
|
|
@@ -66,14 +85,14 @@ module Line
|
|
|
66
85
|
end
|
|
67
86
|
end
|
|
68
87
|
|
|
69
|
-
private
|
|
70
|
-
|
|
71
88
|
def verify_signature(body:, signature:)
|
|
72
89
|
hash = OpenSSL::HMAC.digest(OpenSSL::Digest.new('SHA256'), @channel_secret, body)
|
|
73
90
|
expected = Base64.strict_encode64(hash)
|
|
74
91
|
variable_secure_compare(signature, expected)
|
|
75
92
|
end
|
|
76
93
|
|
|
94
|
+
private
|
|
95
|
+
|
|
77
96
|
# To avoid timing attacks
|
|
78
97
|
def variable_secure_compare(a, b)
|
|
79
98
|
secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
|
data/lib/line/bot/version.rb
CHANGED
|
@@ -5,18 +5,19 @@ module Line
|
|
|
5
5
|
class InvalidSignatureError < ::StandardError
|
|
6
6
|
end
|
|
7
7
|
@channel_secret: String
|
|
8
|
+
@skip_signature_verification: (^() -> bool) | nil
|
|
8
9
|
|
|
9
|
-
def initialize: (channel_secret: String) -> void
|
|
10
|
+
def initialize: (channel_secret: String, ?skip_signature_verification: (^() -> bool) | nil) -> void
|
|
10
11
|
|
|
11
12
|
def parse: (
|
|
12
13
|
body: String,
|
|
13
14
|
signature: String
|
|
14
15
|
) -> Array[Webhook::Event]
|
|
16
|
+
|
|
17
|
+
def verify_signature: (body: String, signature: String) -> bool
|
|
15
18
|
|
|
16
19
|
private
|
|
17
20
|
|
|
18
|
-
def verify_signature: (body: String, signature: String) -> bool
|
|
19
|
-
|
|
20
21
|
def variable_secure_compare: (String, String) -> bool
|
|
21
22
|
|
|
22
23
|
def secure_compare: (String, String) -> bool
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: line-bot-api
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.
|
|
4
|
+
version: 2.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- LINE Corporation
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2025-
|
|
11
|
+
date: 2025-09-24 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: multipart-post
|