pagarme 2.1.0 → 2.1.1

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 422b2f052212e6a80ab083f50e469ff2c42f7965
4
- data.tar.gz: 0991a571bbf8c149abb4c7612d9f6f10174e8189
3
+ metadata.gz: 19db5c088393486c4bc44af6ee169fb3a50a37f5
4
+ data.tar.gz: 33157926082f202f8affcc8dc8093831d1acb37e
5
5
  SHA512:
6
- metadata.gz: b28c35d0ade1879e5ecd4665c16b0ba33625091630a81a8f014acb3f2122612d795420a3a265a58f64f353f5396e12905bd048234484699c81d7c339097f9fc1
7
- data.tar.gz: be91ee795aeb90394646f378dbd82c8183c0d52e48c22f4197ff38c73b461efe56b58dcf71016857a726e969ed3015bd6a0b8c1de6be61c4c37d636fe714b44b
6
+ metadata.gz: 438ca7c4e957ac3561b4663b899fbbccbd7d3c6bbaa4dbaff918307a6cac1ce2fd08025e8476936306c5bd7073a3ab3de0099fa3ea5e0fd5e10426292a20e261
7
+ data.tar.gz: 4b61661fd23f341dcd0194019693021aba613b1ab62934565ee136cb7078180befb4df5734f25680d85b897011cda19edaded58916e73dd3ef984eb27287d60c
data/README.md CHANGED
@@ -269,6 +269,55 @@ More about [Querying Payables](https://docs.pagar.me/api/#retornando-recebiveis)
269
269
 
270
270
  More about [Payable Transactions](https://docs.pagar.me/api/#retornando-pagamentos-da-transacao)
271
271
 
272
+ ### Validating Postback
273
+
274
+ You need to ensure that all received postback are sent by Pagar.me and not from anyone else,
275
+ to do this, is very important to validate it.
276
+
277
+ You must do it using the raw payload received on post request, and check it signature provided
278
+ in HTTP header X-Hub-Signature.
279
+
280
+ You can check it like this:
281
+
282
+ ```ruby
283
+ PagarMe::Postback.valid_request_signature?(payload, signature)
284
+ ```
285
+
286
+ #### Rails Example
287
+
288
+ If you are using Rails, you should do it your controller like this:
289
+
290
+ ```ruby
291
+
292
+ class PostbackController < ApplicationController
293
+ skip_before_action :verify_authenticity_token
294
+
295
+ def postback
296
+ if valid_postback?
297
+ # Handle your code here
298
+ # postback payload is in params
299
+ else
300
+ render_invalid_postback_response
301
+ end
302
+ end
303
+
304
+ protected
305
+ def valid_postback?
306
+ raw_post = request.raw_post
307
+ signature = request.headers['HTTP_X_HUB_SIGNATURE']
308
+ PagarMe::Postback.valid_request_signature?(raw_post, signature)
309
+ end
310
+
311
+ def render_invalid_postback_response
312
+ render json: {error: 'invalid postback'}, status: 400
313
+ end
314
+ end
315
+
316
+
317
+ ```
318
+
319
+ request.raw_post
320
+
272
321
  ### Undocumented Features
273
322
 
274
323
  This gem is stable, but in constant development.
data/lib/pagarme.rb CHANGED
@@ -1,6 +1,7 @@
1
1
  require 'set'
2
2
  require 'time'
3
3
  require 'digest/sha1'
4
+ require 'openssl'
4
5
 
5
6
  require_relative 'pagarme/version'
6
7
  require_relative 'pagarme/core_ext'
@@ -25,7 +26,8 @@ module PagarMe
25
26
  self.timeout = 90
26
27
  self.api_key = ENV['PAGARME_API_KEY']
27
28
 
28
- def self.validate_fingerprint(id, fingerprint)
29
- PagarMe::Postback.validate id, fingerprint
29
+ # TODO: Remove deprecated PagarMe.validate_fingerprint
30
+ def self.validate_fingerprint(*args)
31
+ raise '[Deprecation Error] PagarMe.validate_fingerprint is deprecated, use PagarMe::Postback.valid_request_signature? instead'
30
32
  end
31
33
  end
@@ -1,15 +1,32 @@
1
1
  module PagarMe
2
2
  class Postback < PagarMeObject
3
3
  def valid?
4
- self.class.validate id, fingerprint
4
+ signature == self.class.signature(payload)
5
5
  end
6
6
 
7
- def self.validate(id, fingerprint)
8
- fingerprint_for(id) == fingerprint
9
- end
7
+ class << self
8
+ def valid_request_signature?(payload, signature)
9
+ kind, raw_signature = signature.split '=', 2
10
+ return false if kind.blank? || raw_signature.blank?
11
+ signature(payload, kind) == raw_signature
12
+ end
13
+ alias :validate_request_signature :valid_request_signature?
14
+
15
+ def signature(payload, hash_method = 'sha1')
16
+ OpenSSL::HMAC.hexdigest hash_method, PagarMe.api_key, payload
17
+ end
18
+
19
+ # TODO: Remove deprecated Postback.validate
20
+ def validate(id, fingerprint)
21
+ $stderr.puts '[DEPRECATION WARNING] PagarMe.validate method is deprecated, use PagarMe.validate_request_signature instead'
22
+ valid_request_signature? id, fingerprint
23
+ end
10
24
 
11
- def self.fingerprint_for(id)
12
- Digest::SHA1.hexdigest id.to_s + "#" + PagarMe.api_key
25
+ # TODO: Remove deprecated Postback.fingerprint_for
26
+ def fingerprint_for(id)
27
+ $stderr.puts '[DEPRECATION WARNING] PagarMe.fingerprint_for method is deprecated, use PagarMe.signature instead'
28
+ signature id
29
+ end
13
30
  end
14
31
  end
15
32
  end
@@ -1,3 +1,3 @@
1
1
  module PagarMe
2
- VERSION = '2.1.0'
2
+ VERSION = '2.1.1'
3
3
  end
data/test/fixtures.rb CHANGED
@@ -121,13 +121,8 @@ class Fixtures
121
121
 
122
122
  def postback_response
123
123
  {
124
- id: 194330,
125
- event: 'transaction_status_changed',
126
- fingerprint: 'f8eb5ce941d70473ea691959ea4bfdeb79d48e2c',
127
- desired_status: 'paid',
128
- current_status: 'paid',
129
- object: 'transaction',
130
- old_status: 'processing'
124
+ payload: "id=406483&fingerprint=9e9496ef28d1154b2db9a446323db90103069330&event=transaction_status_changed&old_status=processing&desired_status=paid&current_status=paid&object=transaction&transaction[object]=transaction&transaction[status]=paid&transaction[refuse_reason]=null&transaction[status_reason]=acquirer&transaction[acquirer_response_code]=0&transaction[acquirer_name]=pagarme&transaction[authorization_code]=18051&transaction[soft_descriptor]=null&transaction[tid]=406483&transaction[nsu]=406483&transaction[date_created]=2016-03-03T19:13:31.000Z&transaction[date_updated]=2016-03-03T19:13:32.000Z&transaction[amount]=1000&transaction[authorized_amount]=1000&transaction[paid_amount]=1000&transaction[refunded_amount]=0&transaction[installments]=1&transaction[id]=406483&transaction[cost]=50&transaction[card_holder_name]=Jose da Silva&transaction[card_last_digits]=4448&transaction[card_first_digits]=490172&transaction[card_brand]=visa&transaction[postback_url]=http://example.com/postback/1&transaction[payment_method]=credit_card&transaction[capture_method]=ecommerce&transaction[antifraud_score]=null&transaction[boleto_url]=null&transaction[boleto_barcode]=null&transaction[boleto_expiration_date]=null&transaction[referer]=api_key&transaction[ip]=179.185.132.108&transaction[subscription_id]=null&transaction[phone][object]=phone&transaction[phone][ddi]=55&transaction[phone][ddd]=21&transaction[phone][number]=922334455&transaction[phone][id]=21123&transaction[address][object]=address&transaction[address][street]=Av. Brigadeiro Faria Lima&transaction[address][complementary]=null&transaction[address][street_number]=2941&transaction[address][neighborhood]=Itaim bibi&transaction[address][city]=São Paulo&transaction[address][state]=SP&transaction[address][zipcode]=1452000&transaction[address][country]=Brasil&transaction[address][id]=21810&transaction[customer][object]=customer&transaction[customer][document_number]=84931126235&transaction[customer][document_type]=cpf&transaction[customer][name]=Jose da Silva&transaction[customer][email]=pagarmetestruby@mailinator.com&transaction[customer][born_at]=1970-10-11T00:00:00.000Z&transaction[customer][gender]=M&transaction[customer][date_created]=2016-03-01T18:38:25.000Z&transaction[customer][id]=43304&transaction[card][object]=card&transaction[card][id]=card_cil9rcdql00gmbp6er9i5q48u&transaction[card][date_created]=2016-03-01T18:38:25.000Z&transaction[card][date_updated]=2016-03-01T18:38:29.000Z&transaction[card][brand]=visa&transaction[card][holder_name]=Jose da Silva&transaction[card][first_digits]=490172&transaction[card][last_digits]=4448&transaction[card][country]=BR&transaction[card][fingerprint]=F0Y0+wH0d8DS&transaction[card][customer]=undefined&transaction[card][valid]=true",
125
+ signature: '57925d5954efd85613bbffa121dc06b4e7737256'
131
126
  }
132
127
  end
133
128
 
@@ -18,7 +18,7 @@ module PagarMe
18
18
  assert_equal transaction.payables.map(&:recipient_id).sort, fixtures.persistent_recipient_ids.sort
19
19
  end
20
20
 
21
- should 'create be found' do
21
+ should 'be found' do
22
22
  payables = PagarMe::Payable.find_by type: 'refund'
23
23
 
24
24
  assert payables.count > 0
@@ -2,17 +2,23 @@ require_relative '../../test_helper'
2
2
 
3
3
  module PagarMe
4
4
  class TransactionTest < Test::Unit::TestCase
5
- should 'be valid when has valid fingerprint' do
5
+ should 'be valid when has valid signature' do
6
6
  fixed_api_key do
7
7
  postback = PagarMe::Postback.new postback_response_params
8
8
  assert postback.valid?
9
9
  end
10
10
  end
11
11
 
12
- should 'be valid when has invalid fingerprint' do
13
- invalid_fingerprint = Digest::SHA1.hexdigest 'Invalid Fingerprint!'
14
- postback = PagarMe::Postback.new postback_response_params(fingerprint: invalid_fingerprint)
12
+ should 'be valid when has invalid signature' do
13
+ postback = PagarMe::Postback.new postback_response_params(signature: 'invalid signature')
15
14
  assert !postback.valid?
16
15
  end
16
+
17
+ should 'validate signature' do
18
+ params = postback_response_params
19
+ assert PagarMe::Postback.valid_request_signature?(params[:payload], "sha1=#{params[:signature]}")
20
+ assert !PagarMe::Postback.valid_request_signature?(params[:payload], params[:signature])
21
+ assert !PagarMe::Postback.valid_request_signature?(params[:payload], 'invalid signature')
22
+ end
17
23
  end
18
24
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: pagarme
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.1.0
4
+ version: 2.1.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Pedro Franceschi
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2016-03-02 00:00:00.000000000 Z
12
+ date: 2016-03-18 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: bundler
@@ -185,7 +185,6 @@ files:
185
185
  - test/fixtures.rb
186
186
  - test/pagarme/error_test.rb
187
187
  - test/pagarme/object_test.rb
188
- - test/pagarme/pagarme_test.rb
189
188
  - test/pagarme/resources/balance_test.rb
190
189
  - test/pagarme/resources/bank_account_test.rb
191
190
  - test/pagarme/resources/bulk_anticipation_test.rb
@@ -227,7 +226,6 @@ test_files:
227
226
  - test/fixtures.rb
228
227
  - test/pagarme/error_test.rb
229
228
  - test/pagarme/object_test.rb
230
- - test/pagarme/pagarme_test.rb
231
229
  - test/pagarme/resources/balance_test.rb
232
230
  - test/pagarme/resources/bank_account_test.rb
233
231
  - test/pagarme/resources/bulk_anticipation_test.rb
@@ -1,10 +0,0 @@
1
- require_relative '../test_helper'
2
-
3
- module PagarMe
4
- class PagarMeTest < Test::Unit::TestCase
5
- should 'validate fingerprint correctly' do
6
- finderprint = Digest::SHA1.hexdigest "123##{PagarMe.api_key}"
7
- assert PagarMe.validate_fingerprint(123, finderprint)
8
- end
9
- end
10
- end