RubyGems - philiprehberger-webhook_builder - Versions diffs - 0.2.1 → 0.3.0 - Mend

philiprehberger-webhook_builder 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +10 -0
data/README.md +21 -0
data/lib/philiprehberger/webhook_builder/client.rb +16 -0
data/lib/philiprehberger/webhook_builder/version.rb +1 -1
metadata +4 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 77dfa24235cec307d4f733300a7db1f14b48a2a8b8716b73e6a122560ba57048
-  data.tar.gz: 042a9b95d34042da93b03a6c7392afd1dae6c4dd215f3f8d4b61509a6034c8ab
+  metadata.gz: 7754a65fd17d3f711872d837db0a95670d245eab1da96df4d42c723b8d7f9f3d
+  data.tar.gz: 8be04c1b22974980e572ca5073279d995f6e8f67d8853742de62297e5951a532
 SHA512:
-  metadata.gz: 5c8964553aac4756455514f60447c31f02912ec08d8a9f819edf66c9d094b0d12bbb4baa50f1901079d9b289dd4c7142aeb214067280b4aafb0991bf29e4441a
-  data.tar.gz: 7c2dd0623d832973494e4276468f7f1723e1d28dd8c6aadb286f4f109c14a530c40231c217861d4e6f3e0dd37f21dec6ea3ca3e040c14ef0d70f0e801172dc0b
+  metadata.gz: 5f756201c37028a4f44d5975200d24fb811d87ecbc13467b9a9f3e5c792333c26dc546177871b9bda42d4bef3da1093202aa5f82279622521bf5c443d4fe61f8
+  data.tar.gz: c09e9a31e51d343140eb0beaa1db83560bd7a35dca976f00332534a888ece0eb8263a9701a6b5bf14720388ad381245b44b089689700fa0298ff9a5b16130742

data/CHANGELOG.md CHANGED Viewed

@@ -7,6 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
+## [0.3.0] - 2026-04-18
+### Added
+- `Client#verify_signature(body:, signature:)` — constant-time HMAC-SHA256 comparison for the receiving side; returns `false` (never raises) on length mismatch
+## [0.2.2] - 2026-04-15
+### Changed
+- Update homepage URI to portfolio hyphenated path
 ## [0.2.1] - 2026-03-31
 ### Changed

data/README.md CHANGED Viewed

@@ -114,6 +114,26 @@ client.deliver(
 )
 ```
+### Verifying signatures
+On the receiving side, use the same secret to verify the signature sent in the
+`X-Webhook-Signature` header. The comparison is constant-time and will never
+raise on malformed input.
+```ruby
+require "philiprehberger/webhook_builder"
+secret = "shared-signing-secret"
+sender = Philiprehberger::WebhookBuilder.new(url: "https://example.com/webhooks", secret: secret)
+receiver = Philiprehberger::WebhookBuilder.new(url: "https://example.com/webhooks", secret: secret)
+body = '{"event":"order.created","payload":{"id":1}}'
+signature = OpenSSL::HMAC.hexdigest("SHA256", secret, body)
+receiver.verify_signature(body: body, signature: signature) # => true
+receiver.verify_signature(body: body, signature: "tampered") # => false
+```
 ### Delivery Tracking
 ```ruby
@@ -143,6 +163,7 @@ delivery.error          # => nil or error message
 | `.new(url:, secret:, timeout:, max_retries:, backoff:, concurrency:, default_headers:)` | Create a webhook client |
 | `#deliver(event:, payload:, headers:)` | Deliver a webhook event and return a Delivery |
 | `#deliver_batch(events)` | Deliver multiple events concurrently and return an array of Delivery results |
+| `#verify_signature(body:, signature:)` | Constant-time HMAC-SHA256 verification of an incoming signature; returns `true`/`false` and never raises |
 ### `Delivery`

data/lib/philiprehberger/webhook_builder/client.rb CHANGED Viewed

@@ -137,6 +137,22 @@ module Philiprehberger
         results
       end
+      # Verify an HMAC-SHA256 signature against a raw request body.
+      #
+      # Uses a constant-time comparison to resist timing attacks. Returns
+      # +false+ (never raises) when the provided signature has a different
+      # length than the expected hex digest.
+      #
+      # @param body [String] the raw request body
+      # @param signature [String] the hex-encoded signature to verify
+      # @return [Boolean] true when the signature matches, false otherwise
+      def verify_signature(body:, signature:)
+        expected = sign(body)
+        return false unless signature.is_a?(String) && signature.bytesize == expected.bytesize
+        OpenSSL.fixed_length_secure_compare(expected, signature)
+      end
       private
       # Sign the request body with HMAC-SHA256.

data/lib/philiprehberger/webhook_builder/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Philiprehberger
   module WebhookBuilder
-    VERSION = '0.2.1'
+    VERSION = '0.3.0'
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: philiprehberger-webhook_builder
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.3.0
 platform: ruby
 authors:
 - Philip Rehberger
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-03-31 00:00:00.000000000 Z
+date: 2026-04-19 00:00:00.000000000 Z
 dependencies: []
 description: A webhook delivery client that signs payloads with HMAC-SHA256, retries
   failed deliveries with configurable backoff strategies, supports batch delivery,
@@ -28,11 +28,11 @@ files:
 - lib/philiprehberger/webhook_builder/client.rb
 - lib/philiprehberger/webhook_builder/delivery.rb
 - lib/philiprehberger/webhook_builder/version.rb
-homepage: https://github.com/philiprehberger/rb-webhook-builder
+homepage: https://philiprehberger.com/open-source-packages/ruby/philiprehberger-webhook_builder
 licenses:
 - MIT
 metadata:
-  homepage_uri: https://github.com/philiprehberger/rb-webhook-builder
+  homepage_uri: https://philiprehberger.com/open-source-packages/ruby/philiprehberger-webhook_builder
   source_code_uri: https://github.com/philiprehberger/rb-webhook-builder
   changelog_uri: https://github.com/philiprehberger/rb-webhook-builder/blob/main/CHANGELOG.md
   bug_tracker_uri: https://github.com/philiprehberger/rb-webhook-builder/issues