pagarme 2.1.0 → 2.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 422b2f052212e6a80ab083f50e469ff2c42f7965
-  data.tar.gz: 0991a571bbf8c149abb4c7612d9f6f10174e8189
+  metadata.gz: 19db5c088393486c4bc44af6ee169fb3a50a37f5
+  data.tar.gz: 33157926082f202f8affcc8dc8093831d1acb37e
 SHA512:
-  metadata.gz: b28c35d0ade1879e5ecd4665c16b0ba33625091630a81a8f014acb3f2122612d795420a3a265a58f64f353f5396e12905bd048234484699c81d7c339097f9fc1
-  data.tar.gz: be91ee795aeb90394646f378dbd82c8183c0d52e48c22f4197ff38c73b461efe56b58dcf71016857a726e969ed3015bd6a0b8c1de6be61c4c37d636fe714b44b
+  metadata.gz: 438ca7c4e957ac3561b4663b899fbbccbd7d3c6bbaa4dbaff918307a6cac1ce2fd08025e8476936306c5bd7073a3ab3de0099fa3ea5e0fd5e10426292a20e261
+  data.tar.gz: 4b61661fd23f341dcd0194019693021aba613b1ab62934565ee136cb7078180befb4df5734f25680d85b897011cda19edaded58916e73dd3ef984eb27287d60c

data/README.md

@@ -269,6 +269,55 @@ More about [Querying Payables](https://docs.pagar.me/api/#retornando-recebiveis)
 
 More about [Payable Transactions](https://docs.pagar.me/api/#retornando-pagamentos-da-transacao)
 
+### Validating Postback
+
+You need to ensure that all received postback are sent by Pagar.me and not from anyone else,
+to do this, is very important to validate it.
+
+You must do it using the raw payload received on post request, and check it signature provided
+in HTTP header X-Hub-Signature.
+
+You can check it like this:
+
+```ruby
+  PagarMe::Postback.valid_request_signature?(payload, signature)
+```
+
+#### Rails Example
+
+If you are using Rails, you should do it your controller like this:
+
+```ruby
+
+    class PostbackController < ApplicationController
+      skip_before_action :verify_authenticity_token
+      
+      def postback
+        if valid_postback?
+          # Handle your code here
+          # postback payload is in params
+        else
+          render_invalid_postback_response
+        end
+      end
+      
+      protected
+      def valid_postback?
+        raw_post  = request.raw_post
+        signature = request.headers['HTTP_X_HUB_SIGNATURE']
+        PagarMe::Postback.valid_request_signature?(raw_post, signature)
+      end
+      
+      def render_invalid_postback_response
+        render json: {error: 'invalid postback'}, status: 400
+      end
+    end
+
+
+```
+
+request.raw_post
+
 ### Undocumented Features
 
 This gem is stable, but in constant development.

data/lib/pagarme.rb

@@ -1,6 +1,7 @@
 require 'set'
 require 'time'
 require 'digest/sha1'
+require 'openssl'
 
 require_relative 'pagarme/version'
 require_relative 'pagarme/core_ext'
@@ -25,7 +26,8 @@ module PagarMe
   self.timeout      = 90
   self.api_key      = ENV['PAGARME_API_KEY']
 
-  def self.validate_fingerprint(id, fingerprint)
-    PagarMe::Postback.validate id, fingerprint
+  # TODO: Remove deprecated PagarMe.validate_fingerprint
+  def self.validate_fingerprint(*args)
+    raise '[Deprecation Error] PagarMe.validate_fingerprint is deprecated, use PagarMe::Postback.valid_request_signature? instead'
   end
 end

data/lib/pagarme/resources/postback.rb

@@ -1,15 +1,32 @@
 module PagarMe
   class Postback < PagarMeObject
     def valid?
-      self.class.validate id, fingerprint
+      signature == self.class.signature(payload)
     end
 
-    def self.validate(id, fingerprint)
-      fingerprint_for(id) == fingerprint
-    end
+    class << self
+      def valid_request_signature?(payload, signature)
+        kind, raw_signature = signature.split '=', 2
+        return false if kind.blank? || raw_signature.blank?
+        signature(payload, kind) == raw_signature
+      end
+      alias :validate_request_signature :valid_request_signature?
+
+      def signature(payload, hash_method = 'sha1')
+        OpenSSL::HMAC.hexdigest hash_method, PagarMe.api_key, payload
+      end
+
+      # TODO: Remove deprecated Postback.validate
+      def validate(id, fingerprint)
+        $stderr.puts '[DEPRECATION WARNING] PagarMe.validate method is deprecated, use PagarMe.validate_request_signature instead'
+        valid_request_signature? id, fingerprint
+      end
 
-    def self.fingerprint_for(id)
-      Digest::SHA1.hexdigest id.to_s + "#" + PagarMe.api_key
+      # TODO: Remove deprecated Postback.fingerprint_for
+      def fingerprint_for(id)
+        $stderr.puts '[DEPRECATION WARNING] PagarMe.fingerprint_for method is deprecated, use PagarMe.signature instead'
+        signature id
+      end
     end
   end
 end

data/lib/pagarme/version.rb

@@ -1,3 +1,3 @@
 module PagarMe
-  VERSION = '2.1.0'
+  VERSION = '2.1.1'
 end

data/test/fixtures.rb

@@ -121,13 +121,8 @@ class Fixtures
 
   def postback_response
     {
-      id:             194330,
-      event:          'transaction_status_changed',
-      fingerprint:    'f8eb5ce941d70473ea691959ea4bfdeb79d48e2c',
-      desired_status: 'paid',
-      current_status: 'paid',
-      object:         'transaction',
-      old_status:     'processing'
+      payload:   "id=406483&fingerprint=9e9496ef28d1154b2db9a446323db90103069330&event=transaction_status_changed&old_status=processing&desired_status=paid&current_status=paid&object=transaction&transaction[object]=transaction&transaction[status]=paid&transaction[refuse_reason]=null&transaction[status_reason]=acquirer&transaction[acquirer_response_code]=0&transaction[acquirer_name]=pagarme&transaction[authorization_code]=18051&transaction[soft_descriptor]=null&transaction[tid]=406483&transaction[nsu]=406483&transaction[date_created]=2016-03-03T19:13:31.000Z&transaction[date_updated]=2016-03-03T19:13:32.000Z&transaction[amount]=1000&transaction[authorized_amount]=1000&transaction[paid_amount]=1000&transaction[refunded_amount]=0&transaction[installments]=1&transaction[id]=406483&transaction[cost]=50&transaction[card_holder_name]=Jose da Silva&transaction[card_last_digits]=4448&transaction[card_first_digits]=490172&transaction[card_brand]=visa&transaction[postback_url]=http://example.com/postback/1&transaction[payment_method]=credit_card&transaction[capture_method]=ecommerce&transaction[antifraud_score]=null&transaction[boleto_url]=null&transaction[boleto_barcode]=null&transaction[boleto_expiration_date]=null&transaction[referer]=api_key&transaction[ip]=179.185.132.108&transaction[subscription_id]=null&transaction[phone][object]=phone&transaction[phone][ddi]=55&transaction[phone][ddd]=21&transaction[phone][number]=922334455&transaction[phone][id]=21123&transaction[address][object]=address&transaction[address][street]=Av. Brigadeiro Faria Lima&transaction[address][complementary]=null&transaction[address][street_number]=2941&transaction[address][neighborhood]=Itaim bibi&transaction[address][city]=São Paulo&transaction[address][state]=SP&transaction[address][zipcode]=1452000&transaction[address][country]=Brasil&transaction[address][id]=21810&transaction[customer][object]=customer&transaction[customer][document_number]=84931126235&transaction[customer][document_type]=cpf&transaction[customer][name]=Jose da Silva&transaction[customer][email]=pagarmetestruby@mailinator.com&transaction[customer][born_at]=1970-10-11T00:00:00.000Z&transaction[customer][gender]=M&transaction[customer][date_created]=2016-03-01T18:38:25.000Z&transaction[customer][id]=43304&transaction[card][object]=card&transaction[card][id]=card_cil9rcdql00gmbp6er9i5q48u&transaction[card][date_created]=2016-03-01T18:38:25.000Z&transaction[card][date_updated]=2016-03-01T18:38:29.000Z&transaction[card][brand]=visa&transaction[card][holder_name]=Jose da Silva&transaction[card][first_digits]=490172&transaction[card][last_digits]=4448&transaction[card][country]=BR&transaction[card][fingerprint]=F0Y0+wH0d8DS&transaction[card][customer]=undefined&transaction[card][valid]=true",
+      signature: '57925d5954efd85613bbffa121dc06b4e7737256'
     }
   end
 

data/test/pagarme/resources/payable_test.rb

@@ -18,7 +18,7 @@ module PagarMe
       assert_equal transaction.payables.map(&:recipient_id).sort, fixtures.persistent_recipient_ids.sort
     end
 
-    should 'create be found' do
+    should 'be found' do
       payables = PagarMe::Payable.find_by type: 'refund'
 
       assert payables.count > 0

data/test/pagarme/resources/postback_test.rb

@@ -2,17 +2,23 @@ require_relative '../../test_helper'
 
 module PagarMe
   class TransactionTest < Test::Unit::TestCase
-    should 'be valid when has valid fingerprint' do
+    should 'be valid when has valid signature' do
       fixed_api_key do
         postback = PagarMe::Postback.new postback_response_params
         assert postback.valid?
       end
     end
 
-    should 'be valid when has invalid fingerprint' do
-      invalid_fingerprint = Digest::SHA1.hexdigest 'Invalid Fingerprint!'
-      postback = PagarMe::Postback.new postback_response_params(fingerprint: invalid_fingerprint)
+    should 'be valid when has invalid signature' do
+      postback = PagarMe::Postback.new postback_response_params(signature: 'invalid signature')
       assert !postback.valid?
     end
+
+    should 'validate signature' do
+      params = postback_response_params
+      assert  PagarMe::Postback.valid_request_signature?(params[:payload], "sha1=#{params[:signature]}")
+      assert !PagarMe::Postback.valid_request_signature?(params[:payload], params[:signature])
+      assert !PagarMe::Postback.valid_request_signature?(params[:payload], 'invalid signature')
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: pagarme
 version: !ruby/object:Gem::Version
-  version: 2.1.0
+  version: 2.1.1
 platform: ruby
 authors:
 - Pedro Franceschi
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2016-03-02 00:00:00.000000000 Z
+date: 2016-03-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -185,7 +185,6 @@ files:
 - test/fixtures.rb
 - test/pagarme/error_test.rb
 - test/pagarme/object_test.rb
-- test/pagarme/pagarme_test.rb
 - test/pagarme/resources/balance_test.rb
 - test/pagarme/resources/bank_account_test.rb
 - test/pagarme/resources/bulk_anticipation_test.rb
@@ -227,7 +226,6 @@ test_files:
 - test/fixtures.rb
 - test/pagarme/error_test.rb
 - test/pagarme/object_test.rb
-- test/pagarme/pagarme_test.rb
 - test/pagarme/resources/balance_test.rb
 - test/pagarme/resources/bank_account_test.rb
 - test/pagarme/resources/bulk_anticipation_test.rb

data/test/pagarme/pagarme_test.rb

@@ -1,10 +0,0 @@
-require_relative '../test_helper'
-
-module PagarMe
-  class PagarMeTest < Test::Unit::TestCase
-    should 'validate fingerprint correctly' do
-      finderprint = Digest::SHA1.hexdigest "123##{PagarMe.api_key}"
-      assert PagarMe.validate_fingerprint(123, finderprint)
-    end
-  end
-end