perimeter_x 1.3.0 → 1.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1f3a1b696f592b2f1478cc376a96475a5d5f0778
-  data.tar.gz: e859865af132477c953d6aed1a7c70bb927b432e
+  metadata.gz: 3dca9964af5aa39c20643f7e5d6f00271862f0de
+  data.tar.gz: e0f2a81bce3aa7c8b8eb0b0b73d70cc29f272dbc
 SHA512:
-  metadata.gz: 1f67c50466d0a347d7d5e3dc6c30f66332a3dabb27a34152e49c36a6614fa06ce81bc02d8f50ba2e061f9fb4cef8b21e9fb684d2d2b8b138ffab87298d0e1f81
-  data.tar.gz: 35d39968545b296e04f02bed0bb2c67b40ca1ff6773e352533fbe06e2795ad630a838d159fe517a12702e79d5054d81ef828fa966e9278dec7fd6eaa37dd2e06
+  metadata.gz: 257d51330a1dc51e1ca2559559d7eb4e0ca6ebc891fd8bfcdd0171b4e31a5a3b4455f4c3b4227b6db7d403eeecb3bb1bb4b62e4e7cf72024d6efa89f5636bd3f
+  data.tar.gz: 4cd74c725090a46718716b782551e1e5bae7efb939818c1b34970bde070897d6d53334b5c54bb6df7f4a24291dd5ed608e2e39723e008647a07c4e2da8de6b07

data/changelog.md

@@ -5,7 +5,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
-## [1.3.0] - 2017-06-04
+## [1.4.0] - 2018-03-18
+### Fixed
+ - Incorrect assigment for s2s_call_reason
+ - Fixed empty token result correct s2s reason
+
+### Added
+ - Added support to captcha api v2
+ - Mobile sdk support for special tokens 1/2/3
+
+
+## [1.3.0] - 2017-07-27
 ### Added
  - Sending client_uuid on page_requested activities
  - Supporting mobile sdk

data/lib/perimeter_x.rb

@@ -15,37 +15,47 @@ require 'perimeterx/internal/validators/perimeter_x_captcha_validator'
 module PxModule
   # Module expose API
   def px_verify_request
-    verified, px_ctx = PerimeterX.instance.verify(request.env)
+    px_ctx = PerimeterX.instance.verify(request.env)
+    px_config = PerimeterX.instance.px_config
+    msg_title = 'PxModule[px_verify_request]'
+
+    # In case custom verification handler is in use
+    if px_config.key?(:custom_verification_handler)
+      px_config[:logger].debug("#{msg_title}: custom_verification_handler triggered")
+      return instance_exec(px_ctx, &px_config[:custom_verification_handler])
+    end
 
     # Invalidate _pxCaptcha, can be done only on the controller level
     cookies[:_pxCaptcha] = {value: "", expires: -1.minutes.from_now}
 
-    unless verified
-      # In case custon block handler exists
-      if (PerimeterX.instance.px_config.key?(:custom_block_handler))
-        PerimeterX.instance.px_config[:logger].debug('PxModule[px_verify_request]: custom_block_handler triggered')
-        return instance_exec(px_ctx, &PerimeterX.instance.px_config[:custom_block_handler])
+    unless px_ctx.nil? || px_ctx.context[:verified]
+      # In case custom block handler exists (soon to be deprecated)
+      if px_config.key?(:custom_block_handler)
+        px_config[:logger].debug("#{msg_title}: custom_block_handler triggered")
+        px_config[:logger].debug(
+            "#{msg_title}: Please note that custom_block_handler is deprecated. Use custom_verification_handler instead.")
+        return instance_exec(px_ctx, &px_config[:custom_block_handler])
       else
         # Generate template
-        PerimeterX.instance.px_config[:logger].debug('PxModule[px_verify_request]: sending default block page')
-        html = PxTemplateFactory.get_template(px_ctx, PerimeterX.instance.px_config)
+        px_config[:logger].debug("#{msg_title}: sending default block page")
+        html = PxTemplateFactory.get_template(px_ctx, px_config)
         response.headers['Content-Type'] = 'text/html'
         response.status = 403
         # Web handler
         if px_ctx.context[:cookie_origin] == 'cookie'
-          PerimeterX.instance.px_config[:logger].debug('PxModule[px_verify_request]: web block')
+          px_config[:logger].debug('#{msg_title}: web block')
           response.headers['Content-Type'] = 'text/html'
           render :html => html
         else # Mobile SDK
-          PerimeterX.instance.px_config[:logger].debug('PxModule[px_verify_request]: mobile sdk block')
+          px_config[:logger].debug("#{msg_title}: mobile sdk block")
           response.headers['Content-Type'] = 'application/json'
           hash_json = {
               :action => px_ctx.context[:block_action],
               :uuid => px_ctx.context[:uuid],
               :vid => px_ctx.context[:vid],
-              :appId => PerimeterX.instance.px_config[:app_id],
+              :appId => px_config[:app_id],
               :page => Base64.strict_encode64(html),
-              :collectorUrl => "https://collector-#{PerimeterX.instance.px_config[:app_id]}.perimeterx.net"
+              :collectorUrl => "https://collector-#{px_config[:app_id]}.perimeterx.net"
           }
           render :json => hash_json
         end
@@ -53,7 +63,7 @@ module PxModule
     end
 
     # Request was verified
-    return verified
+    return px_ctx.nil? ? true : px_ctx.context[:verified]
   end
 
   def self.configure(params)
@@ -90,34 +100,30 @@ module PxModule
     def verify(env)
       begin
         @logger.debug('PerimeterX[pxVerify]')
-        if (!@px_config[:module_enabled])
+        if !@px_config[:module_enabled]
           @logger.warn('Module is disabled')
-          return true
+          return nil
         end
         req = ActionDispatch::Request.new(env)
         px_ctx = PerimeterXContext.new(@px_config, req)
 
         # Captcha phase
         captcha_verified, px_ctx = @px_captcha_validator.verify(px_ctx)
-        if (captcha_verified)
+        if captcha_verified
           return handle_verification(px_ctx)
         end
 
         # Cookie phase
         cookie_verified, px_ctx = @px_cookie_validator.verify(px_ctx)
-        if (!cookie_verified)
+        if !cookie_verified
           @px_s2s_validator.verify(px_ctx)
         end
 
-        if (@px_config.key?(:custom_verification_handler))
-          return @px_config[:custom_verification_handler].call(px_ctx.context)
-        else
-          return handle_verification(px_ctx)
-        end
+        return handle_verification(px_ctx)
       rescue Exception => e
         @logger.error("#{e.backtrace.first}: #{e.message} (#{e.class})")
         e.backtrace.drop(1).map {|s| @logger.error("\t#{s}")}
-        return true
+        return nil
       end
     end
 
@@ -139,25 +145,26 @@ module PxModule
       @logger.debug("PerimeterX[handle_verification]: processing ended - score:#{px_ctx.context[:score]}, uuid:#{px_ctx.context[:uuid]}")
 
       score = px_ctx.context[:score]
+      px_ctx.context[:verified] = score < @px_config[:blocking_score]
       # Case PASS request
-      if (score < @px_config[:blocking_score])
+      if px_ctx.context[:verified]
         @logger.debug("PerimeterX[handle_verification]: score:#{score} < blocking score, passing request")
         @px_activity_client.send_page_requested_activity(px_ctx)
-        return true
+        return px_ctx
       end
 
       # Case blocking activity
       @px_activity_client.send_block_activity(px_ctx)
 
       # In case were in monitor mode, end here
-      if (@px_config[:module_mode] == PxModule::MONITOR_MODE)
+      if @px_config[:module_mode] == PxModule::MONITOR_MODE
         @logger.debug('PerimeterX[handle_verification]: monitor mode is on, passing request')
-        return true
+        return px_ctx
       end
 
       @logger.debug('PerimeterX[handle_verification]: verification ended, the request should be blocked')
 
-      return false, px_ctx
+      return px_ctx
     end
 
     private_class_method :new

data/lib/perimeterx/configuration.rb

@@ -12,7 +12,7 @@ module PxModule
       :cookie_key               => nil,
       :auth_token               => nil,
       :module_enabled           => true,
-      :captcha_enabled          => true,
+      :captcha_provider         => "reCaptcha",
       :challenge_enabled        => true,
       :encryption_enabled       => true,
       :blocking_score           => 70,

data/lib/perimeterx/internal/perimeter_x_context.rb

@@ -14,6 +14,7 @@ module PxModule
       @context[:px_cookie] = Hash.new
       @context[:headers] = Hash.new
       @context[:cookie_origin] = 'cookie'
+      @context[:made_s2s_risk_api_call] = false
       cookies = req.cookies
 
       # Get token from header
@@ -24,6 +25,8 @@ module PxModule
           exploded_token = token.split(':', 2)
           cookie_sym = "v#{exploded_token[0]}".to_sym
           @context[:px_cookie][cookie_sym] = exploded_token[1]
+        else  # TOKEN_HEADER exists yet there's no ':' delimiter - may indicate an error (storing original value)
+          @context[:px_cookie] = req.headers[PxModule::TOKEN_HEADER]
         end
       elsif !cookies.empty? # Get cookie from jar
         # Prepare hashed cookies

data/lib/perimeterx/internal/validators/perimeter_x_captcha_validator.rb

@@ -7,17 +7,19 @@ module PxModule
       super(px_config, http_client)
     end
 
-    def send_captcha_request(vid, uuid, captcha, px_ctx)
+    def send_captcha_request(captcha, px_ctx)
 
       request_body = {
         :request => {
           :ip => px_ctx.context[:ip],
           :headers => format_headers(px_ctx),
-          :uri => px_ctx.context[:uri]
+          :uri => px_ctx.context[:uri],
+          :captchaType => @px_config[:captcha_provider]
+        },
+        :additional => {
+          :module_version => @px_config[:sdk_name]
         },
         :pxCaptcha => captcha,
-        :vid => vid,
-        :uuid => uuid,
         :hostname => px_ctx.context[:hostname]
       }
 
@@ -25,30 +27,28 @@ module PxModule
       headers = {
           "Authorization" => "Bearer #{@px_config[:auth_token]}" ,
           "Content-Type" => "application/json"
-      };
+      }
 
-      return @http_client.post(PxModule::API_V1_CAPTCHA, request_body, headers, @px_config[:api_timeout], @px_config[:api_timeout_connection])
+      return @http_client.post(PxModule::API_CAPTCHA, request_body, headers, @px_config[:api_timeout], @px_config[:api_timeout_connection])
 
     end
 
     def verify(px_ctx)
       captcha_validated = false
       begin
-        if(!px_ctx.context.key?(:px_captcha))
+        if !px_ctx.context.key?(:px_captcha)
           return captcha_validated, px_ctx
         end
-        captcha, vid, uuid = px_ctx.context[:px_captcha].split(':', 3)
-        if captcha.nil? || vid.nil? || uuid.nil?
+        captcha = px_ctx.context[:px_captcha]
+        if captcha.nil?
           return captcha_validated, px_ctx
         end
 
-        px_ctx.context[:vid] = vid
-        px_ctx.context[:uuid] = uuid
-        response = send_captcha_request(vid, uuid, captcha, px_ctx)
+        response = send_captcha_request(captcha, px_ctx)
 
-        if (response.status_code == 200)
+        if response.success?
           response_body = eval(response.body)
-          if ( response_body[:code] == 0 )
+          if response_body[:status] == 0
             captcha_validated = true
           end
         end
@@ -56,7 +56,7 @@ module PxModule
         return captcha_validated, px_ctx
 
       rescue Exception => e
-        @logger.error("PerimeterxCaptchaValidator[verify]: failed, returning false")
+        @logger.error("PerimeterxCaptchaValidator[verify]: failed, returning false => #{e.message}")
         return captcha_validated, px_ctx
       end
     end

data/lib/perimeterx/internal/validators/perimeter_x_cookie_validator.rb

@@ -18,16 +18,34 @@ module PxModule
 
     def verify(px_ctx)
       begin
-        # Case no cookie
-        if px_ctx.context[:px_cookie].empty?
-          @logger.warn("PerimeterxCookieValidator:[verify]: cookie not found")
+        # Mobile Error cases
+        if px_ctx.context[:cookie_origin] == 'header'
+          if px_ctx.context[:px_cookie].to_s.empty?
+            @logger.warn("PerimeterxCookieValidator:[verify]: Empty token value - decryption failed")
+            px_ctx.context[:s2s_call_reason] = PxModule::COOKIE_DECRYPTION_FAILED
+            return false, px_ctx
+          elsif px_ctx.context[:px_cookie] == "1"
+            @logger.warn("PerimeterxCookieValidator:[verify]: no cookie")
+            px_ctx.context[:s2s_call_reason] = PxModule::NO_COOKIE
+            return false, px_ctx
+          elsif px_ctx.context[:px_cookie] == "2"   # Mobile SDK connection error
+            @logger.warn("PerimeterxCookieValidator:[verify]: mobile sdk connection error")
+            px_ctx.context[:s2s_call_reason] = PxModule::MOBILE_SDK_CONNECTION_ERROR
+            return false, px_ctx
+          elsif px_ctx.context[:px_cookie] == "3"   # Mobile SDK pinning error
+            @logger.warn("PerimeterxCookieValidator:[verify]: mobile sdk pinning error")
+            px_ctx.context[:s2s_call_reason] = PxModule::MOBILE_SDK_PINNING_ERROR
+            return false, px_ctx
+          end
+        elsif px_ctx.context[:px_cookie].empty?
+          @logger.warn("PerimeterxCookieValidator:[verify]: no cookie")
           px_ctx.context[:s2s_call_reason] = PxModule::NO_COOKIE
           return false, px_ctx
         end
 
         # Deserialize cookie start
         cookie = PerimeterxPayload.px_cookie_factory(px_ctx, @px_config)
-        if (!cookie.deserialize())
+        if !cookie.deserialize()
           @logger.warn("PerimeterxCookieValidator:[verify]: invalid cookie")
           px_ctx.context[:s2s_call_reason] =  PxModule::COOKIE_DECRYPTION_FAILED
           return false, px_ctx
@@ -39,26 +57,25 @@ module PxModule
         px_ctx.context[:block_action] = px_ctx.set_block_action_type(cookie.cookie_block_action())
         px_ctx.context[:cookie_hmac] = cookie.cookie_hmac()
 
-        if (cookie.expired?)
+        if cookie.expired?
           @logger.warn("PerimeterxCookieValidator:[verify]: cookie expired")
           px_ctx.context[:s2s_call_reason] = PxModule::EXPIRED_COOKIE
           return false, px_ctx
         end
 
-        if (cookie.high_score?)
+        if cookie.high_score?
           @logger.warn("PerimeterxCookieValidator:[verify]: cookie high score")
-          px_ctx.context[:s2s_call_reason] = PxModule::COOKIE_HIGH_SCORE
           px_ctx.context[:blocking_reason] = 'cookie_high_score'
           return true, px_ctx
         end
 
-        if (!cookie.secured?)
+        if !cookie.secured?
           @logger.warn("PerimeterxCookieValidator:[verify]: cookie invalid hmac")
-          px_ctx.context[:s2s_call_reason] = PxModule::COOKIE_VALIDATION_FAILED
+          px_ctx.context[:s2s_call_reason] = PxModule:: COOKIE_VALIDATION_FAILED
           return false, px_ctx
         end
 
-        if (px_ctx.context[:sensitive_route])
+        if px_ctx.context[:sensitive_route]
           @logger.info("PerimeterxCookieValidator:[verify]: cookie was verified but route is sensitive")
           px_ctx.context[:s2s_call_reason] = PxModule::SENSITIVE_ROUTE
           return false, px_ctx

data/lib/perimeterx/utils/px_constants.rb

@@ -10,7 +10,7 @@ module PxModule
 
   # Routes
   API_V1_S2S = '/api/v1/collector/s2s'
-  API_V1_CAPTCHA = '/api/v1/risk/captcha'
+  API_CAPTCHA = '/api/v2/risk/captcha'
   API_V2_RISK = '/api/v2/risk'
 
   # Activity Types
@@ -28,7 +28,6 @@ module PxModule
 
   # Templates
   BLOCK_TEMPLATE = 'block'
-  CAPTCHA_TEMPLATE = 'captcha'
   TEMPLATE_EXT = '.mustache'
 
 
@@ -48,4 +47,6 @@ module PxModule
 
   # Mobile SDK
   TOKEN_HEADER = 'X-PX-AUTHORIZATION'
+  MOBILE_SDK_CONNECTION_ERROR = 'mobile_sdk_connection_error'
+  MOBILE_SDK_PINNING_ERROR = 'mobile_sdk_pinning_error'
 end

data/lib/perimeterx/utils/px_template_factory.rb

@@ -11,7 +11,7 @@ module PxModule
       end
 
       logger.debug('PxTemplateFactory[get_template]: rendering template')
-      template_type = px_ctx.context[:block_action] == 'captcha' ? PxModule::CAPTCHA_TEMPLATE : BLOCK_TEMPLATE
+      template_type = px_ctx.context[:block_action] == 'captcha' ? px_config[:captcha_provider].downcase : BLOCK_TEMPLATE
 
       template_postfix = ''
       if px_ctx.context[:cookie_origin] == 'header'

data/lib/perimeterx/utils/templates/block.mobile.mustache

@@ -119,7 +119,7 @@
         <div class="page-footer">
             <p>
                 Powered by
-                <a href="https://www.perimeterx.com">PerimeterX</a>
+                <a href="https://www.perimeterx.com/whywasiblocked">PerimeterX</a>
                 , Inc.
             </p>
         </div>
@@ -130,4 +130,4 @@
     <script src="{{jsRef}}"></script>
 {{/ jsRef }}
 </body>
-</html>
+</html>

data/lib/perimeterx/utils/templates/block.mustache

@@ -119,7 +119,7 @@
         <div class="page-footer">
           <p>
             Powered by
-            <a href="https://www.perimeterx.com">PerimeterX</a>
+            <a href="https://www.perimeterx.com/whywasiblocked">PerimeterX</a>
             , Inc.
           </p>
         </div>

data/lib/perimeterx/utils/templates/funcaptcha.mobile.mustache

@@ -0,0 +1,178 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <title>Access to this page has been denied.</title>
+    <link href="https://fonts.googleapis.com/css?family=Open+Sans:300" rel="stylesheet">
+    <style>
+        html, body {
+            margin: 0;
+            padding: 0;
+            font-family: 'Open Sans', sans-serif;
+            color: #000;
+        }
+
+        a {
+            color: #c5c5c5;
+            text-decoration: none;
+        }
+
+        .container {
+            align-items: center;
+            display: flex;
+            flex: 1;
+            justify-content: space-between;
+            flex-direction: column;
+            height: 100%;
+        }
+
+        .container > div {
+            width: 100%;
+            display: flex;
+            justify-content: center;
+        }
+
+        .container > div > div {
+            display: flex;
+            width: 80%;
+        }
+
+        .customer-logo-wrapper {
+            padding-top: 2rem;
+            flex-grow: 0;
+            background-color: #fff;
+            visibility: {{logoVisibility}};
+        }
+
+        .customer-logo {
+            border-bottom: 1px solid #000;
+        }
+
+        .customer-logo > img {
+            padding-bottom: 1rem;
+            max-height: 50px;
+            max-width: 100%;
+        }
+
+        .page-title-wrapper {
+            flex-grow: 2;
+        }
+
+        .page-title {
+            flex-direction: column-reverse;
+        }
+
+        .content-wrapper {
+            flex-grow: 5;
+        }
+
+        .content {
+            flex-direction: column;
+        }
+
+        .page-footer-wrapper {
+            align-items: center;
+            flex-grow: 0.2;
+            background-color: #000;
+            color: #c5c5c5;
+            font-size: 70%;
+        }
+
+        @media (min-width: 768px) {
+            html, body {
+                height: 100%;
+            }
+        }
+    </style>
+    <!-- Custom CSS -->
+    {{# cssRef }}
+        <link rel="stylesheet" type="text/css" href="{{ . }}"/>
+    {{/ cssRef }}
+    <script src="https://funcaptcha.com/fc/api/?onload=loadFunCaptcha" async defer></script>
+</head>
+
+<body>
+<section class="container">
+    <div class="customer-logo-wrapper">
+        <div class="customer-logo">
+            <img src="{{customLogo}}" alt="Logo"/>
+        </div>
+    </div>
+    <div class="page-title-wrapper">
+        <div class="page-title">
+            <h1>Please verify you are a human</h1>
+        </div>
+    </div>
+    <div class="content-wrapper">
+        <div class="content">
+            <p>
+                Please click "Verify" to continue
+            </p>
+            <div id="CAPTCHA"></div>
+            <p>
+                Access to this page has been denied because we believe you are using automation tools to browse the
+                website.
+            </p>
+            <p>
+                This may happen as a result of the following:
+            </p>
+            <ul>
+                <li>
+                    Javascript is disabled or blocked by an extension (ad blockers for example)
+                </li>
+                <li>
+                    Your browser does not support cookies
+                </li>
+            </ul>
+            <p>
+                Please make sure that Javascript and cookies are enabled on your browser and that you are not blocking
+                them from loading.
+            </p>
+            <p>
+                Reference ID: #{{refId}}
+            </p>
+        </div>
+    </div>
+    <div class="page-footer-wrapper">
+        <div class="page-footer">
+            <p>
+                Powered by
+                <a href="https://www.perimeterx.com/whywasiblocked">PerimeterX</a>
+                , Inc.
+            </p>
+        </div>
+    </div>
+</section>
+<!-- Captcha -->
+<script>
+
+    function loadFunCaptcha() {
+        var vid = '{{vid}}';
+        var uuid = '{{uuid}}';
+
+        new FunCaptcha({
+            public_key: "19E4B3B8-6CBE-35CC-4205-FC79ECDDA765",
+            target_html: "CAPTCHA",
+            callback: function () {
+                var expiryUtc = new Date(Date.now() + 1000 * 10).toUTCString();
+                var pxCaptcha = "_pxCaptcha=" + btoa(JSON.stringify({r: document.getElementById("FunCaptcha-Token").value, u: uuid, v: vid}));
+                var cookieParts = [
+                    pxCaptcha,
+                    "; expires=",
+                    expiryUtc,
+                    "; path=/"
+                ];
+
+                document.cookie = cookieParts.join("");
+                location.reload();
+            }
+        });
+    }
+</script>
+<!-- Custom Script -->
+{{# jsRef }}
+    <script src="{{ . }}"></script>
+{{/ jsRef }}
+</body>
+</html>