open-banking-io 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6d7f5d02a8a4a808faa00f6c78558b2e11c90a7c5b852062682746c1ab2a3da1
-  data.tar.gz: c24bf4296b70c0b5ffc6af71faae40d4c559301f59654358c6c34e94130bbef3
+  metadata.gz: 4b6ab2de9b335f7edc7203e5723066756103876c5f986dfd6ac6ff1ac7bf263f
+  data.tar.gz: 4ede77b0da39a399387d49d7b47ec4c76b7c7277c4983b61d928fbca320adf7f
 SHA512:
-  metadata.gz: d4870301dfb82caf2456f2b24a7ae8e6b469375da2bf6ff86821196eaf620f3e1b734deae2a391884e7eaa6dd3eea150c6714962d1f77247e950b5e4b2bef8db
-  data.tar.gz: 24788e31dd5f8deb079a4c3bd2dd411ab6f93e1928eb4de6ed6bf0b398d241b22c8ab8e7009be3f758c286a3131ab3d123dc16cc46ce6c0449f01eb88a4c181c
+  metadata.gz: e8af173269a9036665b494976ccb5292754a6984f6f18f356e2e7946edc6cd7387919cf348c73d226f96bed1ae6e65dc6fb35b8881a64dfc5788b6574c53a8b9
+  data.tar.gz: 5a91e86f5fdfaf166b1e1fe691efb86fc39cdeb2b9246838af679b2c8693f222100d6dafaa1db92df1ea976ec87b9947072eef93ee553f2e46090c0b34cf4472

data/README.md

@@ -49,6 +49,8 @@ client = OpenBankingIO::Client.new(
 
 Amounts are exposed as `BigDecimal`. Models are immutable keyword-initialised `Struct`s.
 
+Every request sets connect/read timeouts (15s/60s) and a `User-Agent: open-banking-io/ruby/<version>` header.
+
 ## Encryption
 
 Envelopes use **ECDH P-256 → HKDF-SHA256 → AES-256-GCM**, implemented entirely with Ruby's OpenSSL

data/lib/open_banking_io/client.rb

@@ -7,6 +7,7 @@ require "bigdecimal"
 
 require_relative "envelope"
 require_relative "models"
+require_relative "version"
 
 module OpenBankingIO
   # Raised when the API returns a non-success HTTP status.
@@ -28,14 +29,15 @@ module OpenBankingIO
   class Client
     DEFAULT_OPEN_TIMEOUT = 15
     DEFAULT_READ_TIMEOUT = 60
+    USER_AGENT = "open-banking-io/ruby/#{VERSION}".freeze
 
     # Builds a client from a credentials-bundle JSON string or a path to a bundle file.
     def self.from_credentials(path_or_json)
       raw = if File.file?(path_or_json.to_s)
-              File.read(path_or_json)
-            else
-              path_or_json
-            end
+        File.read(path_or_json)
+      else
+        path_or_json
+      end
 
       bundle = JSON.parse(raw)
       api_base_url = bundle["apiBaseUrl"].to_s
@@ -108,7 +110,7 @@ module OpenBankingIO
         raise ArgumentError, "Account has no active session (reconnect required) -- cannot sync"
       end
 
-      result = post_json("api/accounts/#{account_id}/sync", { "uid" => uid })
+      result = post_json("api/accounts/#{account_id}/sync", {"uid" => uid})
       SyncResult.new(
         new_transactions: result["newTransactions"] || 0,
         total_fetched: result["totalFetched"] || 0
@@ -120,10 +122,10 @@ module OpenBankingIO
       items = []
       account_wires.each do |a|
         uid = decrypt_uid(a)
-        items << { "accountId" => a["id"], "uid" => uid } unless uid.nil?
+        items << {"accountId" => a["id"], "uid" => uid} unless uid.nil?
       end
 
-      result = post_json("api/sync", { "items" => items })
+      result = post_json("api/sync", {"items" => items})
       SyncAllResult.new(
         accounts: result["accounts"] || 0,
         new_transactions: result["newTransactions"] || 0
@@ -228,6 +230,10 @@ module OpenBankingIO
         uri.query = URI.encode_www_form(params)
       end
 
+      # `path` is an internal, library-controlled API route resolved against the configured
+      # base URI (see #resolve), not user-supplied file/URL input. This is an HTTP API client;
+      # issuing the request is its purpose.
+      # nosemgrep: ruby.rails.security.audit.avoid-tainted-http-request.avoid-tainted-http-request
       request = Net::HTTP::Get.new(uri)
       send_request(uri, request)
     end
@@ -247,6 +253,7 @@ module OpenBankingIO
     def send_request(uri, request)
       request["X-Api-Key"] = @api_key
       request["Accept"] = "application/json"
+      request["User-Agent"] = USER_AGENT
 
       http = Net::HTTP.new(uri.host, uri.port)
       http.use_ssl = (uri.scheme == "https")

data/lib/open_banking_io/envelope.rb

@@ -15,7 +15,7 @@ module OpenBankingIO
     POINT_LEN = 65
     NONCE_LEN = 12
     TAG_LEN = 16
-    HKDF_SALT = ("\x00".b * 32).freeze
+    HKDF_SALT = ("\x00".b * 32)
     HKDF_INFO = "bank.core.ci/zk/v1".b.freeze
     GROUP = OpenSSL::PKey::EC::Group.new("prime256v1")
 
@@ -43,7 +43,7 @@ module OpenBankingIO
       tag = envelope_bytes.byteslice(1 + POINT_LEN + NONCE_LEN, TAG_LEN)
       ciphertext = envelope_bytes.byteslice((1 + POINT_LEN + NONCE_LEN + TAG_LEN)..) || "".b
 
-      pub = OpenSSL::PKey::EC::Point.new(GROUP, OpenSSL::BN.new(eph_pub_bytes, 2))
+      pub = decode_public_point(eph_pub_bytes)
       shared = private_key.dh_compute_key(pub)
 
       key = OpenSSL::KDF.hkdf(
@@ -63,6 +63,17 @@ module OpenBankingIO
       cipher.update(ciphertext) + cipher.final
     end
 
+    # Parses the 65-byte raw ephemeral public key into a P-256 point.
+    #
+    # A malformed or off-curve point makes +EC::Point.new+ raise an OpenSSL-internal
+    # error; we wrap it in a clean +ArgumentError+ so callers see a consistent envelope
+    # error rather than a leaking implementation detail.
+    def decode_public_point(eph_pub_bytes)
+      OpenSSL::PKey::EC::Point.new(GROUP, OpenSSL::BN.new(eph_pub_bytes, 2))
+    rescue OpenSSL::PKey::EC::Point::Error, OpenSSL::BNError => e
+      raise ArgumentError, "Invalid ephemeral public key in envelope: #{e.message}"
+    end
+
     # Decrypts a base64 envelope and parses its JSON payload. +nil+ in -> +nil+ out.
     def decrypt_to_json(private_key, envelope_b64)
       return nil if envelope_b64.nil?

data/lib/open_banking_io/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OpenBankingIO
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: open-banking-io
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - open-banking.io
@@ -65,6 +65,68 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.22'
+- !ruby/object:Gem::Dependency
+  name: simplecov-cobertura
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.1'
+- !ruby/object:Gem::Dependency
+  name: rexml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.3'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '3.4'
+- !ruby/object:Gem::Dependency
+  name: standard
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
 description: Authenticates with your API key and decrypts open-banking.io's zero-knowledge
   data envelopes locally with your exported private key (ECDH P-256 -> HKDF-SHA256
   -> AES-256-GCM). The service only ever returns ciphertext it cannot read.