RubyGems - messagebird-rest - Versions diffs - 3.0.0 → 3.1.0 - Mend

messagebird-rest 3.0.0 → 3.1.0

Files changed (7) hide show

checksums.yaml +4 -4
data/README.md +1 -1
data/lib/messagebird/request_validator.rb +91 -0
data/lib/messagebird/signed_request.rb +12 -0
data/lib/messagebird/version.rb +1 -1
data/lib/messagebird.rb +2 -1
metadata +21 -6

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9dc78fcfe4e496c197244a6e62ad347bc439c52334d69a453f25977f7981c23b
-  data.tar.gz: 6cef4d63e95ddd4455dd4a003b60bdfc3dfb1b10cfc1049cee9aecc7d8d5fb41
+  metadata.gz: f31ec7bbc1d49554a915dde71c24245246453df62bfd7ab7a4b912727990de5b
+  data.tar.gz: 9dcdd828d54250134e2d4cd95a3ccd418d799e7f1e387324885faa8b2d23e385
 SHA512:
-  metadata.gz: f235d92c2c49b14c7529c3aa2ad5e8fb6e03adf66a74f4d55229b1b262c66d8beca1a9137ff1d24da439a8d9051915765c7371e17fc1eae63bc0e56e8b96f715
-  data.tar.gz: 4b264d192ab011f784aedd9f336e750a1d20b9413d6cb9fd2e67d37cef6b36f7ceed25b80d6dbb74e90b4ffb452f90939b3343a732d2043138071a2b15f6260e
+  metadata.gz: e6c773c63307706d30dd415dae6860714575a0ed4ce217abec279acc1030120899b38871c4e62d7b7cd6d207ac16049c519d2c81a05d6a9cbdae60b69436a5c1
+  data.tar.gz: 1595298d447d97acfb71ee8dfd3cef0e9facab22935bb30abe7d000fed73919c34b548340b93d087cea98393ec4ebafe2d3d2c7f529fb72f01b0b62d2e498663

data/README.md CHANGED Viewed

@@ -2,7 +2,7 @@ MessageBird's REST API for Ruby
 ===============================
 This repository contains the open source Ruby client for MessageBird's REST API. Documentation can be found at: https://developers.messagebird.com/
-[![Build Status](https://travis-ci.org/messagebird/ruby-rest-api.svg?branch=master)](https://travis-ci.org/messagebird/ruby-rest-api)
+[![Build Status](https://github.com/messagebird/ruby-rest-api/actions/workflows/ruby_ci.yml/badge.svg)](https://github.com/messagebird/ruby-rest-api/actions)
 Requirements
 ------------

data/lib/messagebird/request_validator.rb ADDED Viewed

@@ -0,0 +1,91 @@
+# frozen_string_literal: true
+require 'base64'
+require 'digest'
+require 'time'
+require 'jwt'
+module MessageBird
+  class ValidationError < StandardError
+  end
+  ##
+  # RequestValidator validates request signature signed by MessageBird services.
+  #
+  # @see https://developers.messagebird.com/docs/verify-http-requests
+  class RequestValidator
+    ALLOWED_ALGOS = %w[HS256 HS384 HS512].freeze
+    ##
+    #
+    # @param [string] signature_key customer signature key. Can be retrieved through <a href="https://dashboard.messagebird.com/developers/settings">Developer Settings</a>. This is NOT your API key.
+    # @param [bool] skip_url_validation whether url_hash claim validation should be skipped. Note that when true, no query parameters should be trusted.
+    def initialize(signature_key, skip_url_validation = false)
+      @signature_key = signature_key
+      @skip_url_validation = skip_url_validation
+    end
+    ##
+    # This method validates provided request signature, which is a JWT token.
+    # This JWT is signed with a MessageBird account unique secret key, ensuring the request is from MessageBird and a specific account.
+    # The JWT contains the following claims:
+    #      *   "url_hash" - the raw URL hashed with SHA256 ensuring the URL wasn't altered.
+    #      *    "payload_hash" - the raw payload hashed with SHA256 ensuring the payload wasn't altered.
+    #      *    "jti" - a unique token ID to implement an optional non-replay check (NOT validated by default).
+    #      *    "nbf" - the not before timestamp.
+    #      *    "exp" - the expiration timestamp is ensuring that a request isn't captured and used at a later time.
+    #      *    "iss" - the issuer name, always MessageBird.
+    # @param [String] signature the actual signature taken from request header "MessageBird-Signature-JWT".
+    # @param [String] url the raw url including the protocol, hostname and query string, e.g. "https://example.com/?example=42".
+    # @param [Array] request_body the raw request body.
+    # @return [Array] raw signature payload
+    # @raise [ValidationError] if signature is invalid
+    # @see https://developers.messagebird.com/docs/verify-http-requests
+    def validate_signature(signature, url, request_body)
+      raise ValidationError, 'Signature can not be empty' if signature.to_s.empty?
+      raise ValidationError, 'URL can not be empty' if !@skip_url_validation && url.to_s.empty?
+      claims = decode_signature signature
+      validate_url(url, claims['url_hash']) unless @skip_url_validation
+      validate_payload(request_body, claims['payload_hash'])
+      claims
+    end
+    private # Applies to every method below this line
+    def decode_signature(signature)
+      begin
+        claims, * = JWT.decode signature, @signature_key, true,
+                               algorithm: ALLOWED_ALGOS,
+                               iss: 'MessageBird',
+                               required_claims: %w[iss nbf exp],
+                               verify_iss: true,
+                               leeway: 1
+      rescue JWT::DecodeError => e
+        raise ValidationError, e
+      end
+      claims
+    end
+    def validate_url(url, url_hash)
+      expected_url_hash = Digest::SHA256.hexdigest url
+      unless JWT::SecurityUtils.secure_compare(expected_url_hash, url_hash)
+        raise ValidationError, 'invalid jwt: claim url_hash is invalid'
+      end
+    end
+    def validate_payload(body, payload_hash)
+      if !body.to_s.empty? && !payload_hash.to_s.empty?
+        unless JWT::SecurityUtils.secure_compare(Digest::SHA256.hexdigest(body), payload_hash)
+          raise ValidationError, 'invalid jwt: claim payload_hash is invalid'
+        end
+      elsif !body.to_s.empty?
+        raise ValidationError, 'invalid jwt: claim payload_hash is not set but payload is present'
+      elsif !payload_hash.to_s.empty?
+        raise ValidationError, 'invalid jwt: claim payload_hash is set but actual payload is missing'
+      end
+    end
+  end
+end

data/lib/messagebird/signed_request.rb CHANGED Viewed

@@ -5,10 +5,16 @@ require 'digest'
 require 'time'
 module MessageBird
+  ##
+  # @deprecated Use {MessageBird::RequestValidator::ValidationError} instead.
   class ValidationException < TypeError
   end
+  ##
+  # @deprecated Use {MessageBird::RequestValidator} instead.
   class SignedRequest
+    ##
+    # @deprecated Use {MessageBird::RequestValidator} instead.
     def initialize(query_parameters, signature, request_timestamp, body)
       unless query_parameters.is_a? Hash
         raise ValidationException, 'The "query_parameters" value is invalid.'
@@ -29,12 +35,16 @@ module MessageBird
       @body = body
     end
+    ##
+    # @deprecated Use {MessageBird::RequestValidator::validateSignature} instead.
     def verify(signing_key)
       calculated_signature = OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), signing_key, build_payload)
       expected_signature = Base64.decode64(@signature)
       calculated_signature.bytes == expected_signature.bytes
     end
+    ##
+    # @deprecated Use {MessageBird::RequestValidator} instead.
     def build_payload
       parts = []
       parts.push(@request_timestamp)
@@ -43,6 +53,8 @@ module MessageBird
       parts.join("\n")
     end
+    ##
+    # @deprecated Use {MessageBird::RequestValidator} instead.
     def recent?(offset = 10)
       (Time.now.getutc.to_i - @request_timestamp) < offset
     end

data/lib/messagebird/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module MessageBird
   module Version
-    STRING = '3.0.0'
+    STRING = '3.1.0'
   end
 end

data/lib/messagebird.rb CHANGED Viewed

@@ -12,7 +12,8 @@ require 'messagebird/group_reference'
 require 'messagebird/hlr'
 require 'messagebird/http_client'
 require 'messagebird/message_reference'
-require 'messagebird/signed_request'
+require 'messagebird/signed_request' # @deprecated
+require 'messagebird/request_validator'
 require 'messagebird/verify'
 require 'messagebird/message'
 require 'messagebird/voicemessage'

metadata CHANGED Viewed

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: messagebird-rest
 version: !ruby/object:Gem::Version
-  version: 3.0.0
+  version: 3.1.0
 platform: ruby
 authors:
 - Maurice Nonnekes
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-06-25 00:00:00.000000000 Z
+date: 2022-03-30 00:00:00.000000000 Z
 dependencies:
+- !ruby/object:Gem::Dependency
+  name: jwt
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.3
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 2.2.3
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -87,6 +101,7 @@ files:
 - lib/messagebird/number.rb
 - lib/messagebird/number_client.rb
 - lib/messagebird/recipient.rb
+- lib/messagebird/request_validator.rb
 - lib/messagebird/signed_request.rb
 - lib/messagebird/verify.rb
 - lib/messagebird/verify_email_message.rb
@@ -105,7 +120,7 @@ homepage: https://github.com/messagebird/ruby-rest-api
 licenses:
 - BSD-2-Clause
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -120,8 +135,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.15
-signing_key:
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: MessageBird's REST API
 test_files: []