polar_sh 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ec3d4123f3e156b0f1831d24dd9657d0c12c34597d3123d9d22ca43913881d63
-  data.tar.gz: c716d766937d240ced1bb1f1fb1fa5b2a1539ff6895ae7db9077d169957d721c
+  metadata.gz: 84bce050ddccdcfb7709e2815db0ead0e4591cca1fe007972be02b217c5172da
+  data.tar.gz: 30c54873668cabb778e3134b69b1ddf19c12fcbb72d75a65c3f43ad35d938cdc
 SHA512:
-  metadata.gz: a4c7ec8ef2136ba7a530579c2f01c97ac7a030d7b31c0c0a1de5a71f4dec1d5887370f34620c9fa6a86476569456d366060e1e3d184ff0f54c2c20423ff1f118
-  data.tar.gz: 5f7ad2caeeff953d840da4b026ef6ee14e8ddc554760a6c405434c98a961b577da364da8deea9d120471001b5f8c0a27e714aa927c06269d2935aba75ab49b82
+  metadata.gz: '078fcb5ab44cd333d9fc3cf935d22c55386c1395626d7d0c181792267be2c6f7515610f5ee7755670ed82d82d79c94b8c9b9f6b06e25e5740af836777fdf06ac'
+  data.tar.gz: 7365e3ebcf7953f097af85d56164769da44b36856661c369adf86d2c91eefd91b29ce9eeaa2cacf5794017489f433f426917138cca9c95729baa55e783952413

data/CHANGELOG.md

@@ -1,5 +1,8 @@
-## [Unreleased]
+## 0.2.0
 
-## [0.1.0] - 2024-12-20
+- Add `Polar::Webhook`
+- Add more resources
+
+## 0.1.0
 
 - Initial release

data/README.md

@@ -14,22 +14,59 @@ bundle add polar_sh
 Polar.configure do |config|
   config.access_token = "polar_..."
   config.sandbox = true
+  config.webhook_secret = "xyz..."
 end
 
-# Fetch a list of customers
-pp Polar::Customer.list
+class CheckoutsController < ApplicationController
+  def create
+    checkout = Polar::Checkout::Custom.create(
+      customer_email: current_user.email,
+      metadata: {user_id: current_user.id},
+      product_id: "xyzxyz-...",
+      success_url: root_path
+    )
+
+    redirect_to(checkout.url, allow_other_host: true)
+  end
+end
+
+class WebhooksController < ApplicationController
+  skip_before_action :verify_authenticity_token
+
+  def handle_polar
+    event = Polar::Webhook.verify(request)
+
+    Rails.logger.info("Received Polar webhook: #{event.type}")
+
+    case event.type
+    when "order.created"
+      process_order(event.object)
+    end
+
+    head(:ok)
+  end
+
+  private
+
+  def process_order(order)
+    return unless order.status == "paid"
+    return unless (user = User.find(order.metadata[:user_id]))
+
+    # ...
+  end
+end
 ```
 
 ## Development
 
 ```sh
-$ bundle
-$ rake spec
+bundle
+rake spec
 ```
 
 ## Contributing
 
-Bug reports and pull requests are welcome on GitHub at https://github.com/mikker/polar_sh.
+Bug reports and pull requests are welcome on GitHub at <https://github.com/mikker/polar_sh>.
 
 ## License
 

data/lib/polar/configuration.rb

@@ -4,6 +4,7 @@ module Polar
   class Configuration
     attr_accessor :access_token
     attr_accessor :sandbox
+    attr_accessor :webhook_secret
 
     alias sandbox? sandbox
 

data/lib/polar/resources/benefit.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Polar
+  class Benefit < Resource
+    def self.list(params = {})
+      response = Client.get_request("/v1/benefits", **params)
+      handle_list(response)
+    end
+
+    def self.create(params)
+      response = Client.post_request("/v1/benefits", **params)
+      handle_one(response)
+    end
+
+    def self.get(id)
+      response = Client.get_request("/v1/benefits/#{id}")
+      handle_one(response)
+    end
+
+    def self.update(id, params)
+      response = Client.patch_request("/v1/benefits/#{id}", **params)
+      handle_one(response)
+    end
+
+    def self.delete(id)
+      response = Client.delete_request("/v1/benefits/#{id}")
+      handle_one(response)
+    end
+  end
+end
+

data/lib/polar/resources/benefit_grant.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Polar
+  class BenefitGrant < Resource
+    def self.list(params = {})
+      response = Client.get_request("/v1/benefits/grants", **params)
+      handle_list(response)
+    end
+  end
+end

data/lib/polar/resources/order.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module Polar
+  class Order < Resource
+    def self.list(params = {})
+      response = Client.get_request("/v1/orders", **params)
+      handle_list(response)
+    end
+
+    def self.get(id)
+      response = Client.get_request("/v1/orders/#{id}")
+      handle_one(response)
+    end
+
+    def self.get_invoice(id)
+      response = Client.get_request("/v1/orders/#{id}/invoice")
+      handle_one(response, Invoice)
+    end
+  end
+end

data/lib/polar/resources/refund.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Polar
+  class Refund < Resource
+    def self.list(params = {})
+      response = Client.get_request("/v1/refunds", **params)
+      handle_list(response)
+    end
+
+    def self.create(params)
+      response = Client.post_request("/v1/refunds", **params)
+      handle_one(response)
+    end
+  end
+end 

data/lib/polar/resources/subscription.rb

@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module Polar
+  class Subscription < Resource
+    def self.list(params = {})
+      response = Client.get_request("/v1/subscriptions", **params)
+      handle_list(response)
+    end
+
+    def self.export(params = {})
+      response = Client.get_request("/v1/subscriptions/export", **params)
+      handle_list(response)
+    end
+
+    def self.get(id)
+      response = Client.get_request("/v1/subscriptions/#{id}")
+      handle_one(response)
+    end
+
+    def self.update(id, params)
+      response = Client.patch_request("/v1/subscriptions/#{id}", **params)
+      handle_one(response)
+    end
+
+    def self.delete(id)
+      response = Client.delete_request("/v1/subscriptions/#{id}")
+      handle_one(response)
+    end
+
+    # Customer Portal methods
+    def self.list_for_customer(params = {})
+      response = Client.get_request("/v1/customer-portal/subscriptions", **params)
+      handle_list(response)
+    end
+
+    def self.get_for_customer(id)
+      response = Client.get_request("/v1/customer-portal/subscriptions/#{id}")
+      handle_one(response)
+    end
+
+    def self.update_for_customer(id, params)
+      response = Client.patch_request("/v1/customer-portal/subscriptions/#{id}", **params)
+      handle_one(response)
+    end
+
+    def self.delete_for_customer(id)
+      response = Client.delete_request("/v1/customer-portal/subscriptions/#{id}")
+      handle_one(response)
+    end
+  end
+end
+

data/lib/polar/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Polar
-  VERSION = "0.1.1"
+  VERSION = "0.2.0"
 end

data/lib/polar/webhook.rb

@@ -0,0 +1,49 @@
+module Polar
+  class Webhook
+    def initialize(request, secret: nil)
+      unless (unencoded_secret = secret || Polar.config.webhook_secret) && unencoded_secret != ""
+        raise ArgumentError, "No webhook secret provided, set Polar.config.webhook_secret"
+      end
+
+      @secret = Base64.encode64(unencoded_secret)
+      @request = request
+      @payload = JSON.parse(request.raw_post, symbolize_names: true)
+      @type = @payload[:type]
+      @object = cast_object
+    end
+
+    attr_reader :secret, :request, :payload, :type, :object
+
+    def verify
+      StandardWebhooks::Webhook.new(@secret).verify(request.raw_post, request.headers)
+      self
+    end
+
+    def cast_object
+      case type
+      when /^checkout\./
+        Checkout::Custom.handle_one(payload[:data])
+      when /^order\./
+        Order.handle_one(payload[:data])
+      when /^subscription\./
+        Subscription.handle_one(payload[:data])
+      when /^refund\./
+        Refund.handle_one(payload[:data])
+      when /^product\./
+        Product.handle_one(payload[:data])
+      when /^pledge\./
+        Pledge.handle_one(payload[:data])
+      when /^organization\./
+        Organization.handle_one(payload[:data])
+      when /^benefit\./
+        Benefit.handle_one(payload[:data])
+      when /^benefit_grant\./
+        BenefitGrant.handle_one(payload[:data])
+      end
+    end
+
+    def self.verify(request, secret: nil)
+      new(request, secret: secret).verify
+    end
+  end
+end

data/lib/polar.rb

@@ -4,20 +4,27 @@ require "ostruct"
 require "http"
 
 require_relative "polar/version"
+require "standard_webhooks"
 
 module Polar
   autoload :Configuration, "polar/configuration"
   autoload :Client, "polar/client"
   autoload :Error, "polar/error"
   autoload :Resource, "polar/resource"
+  autoload :Webhook, "polar/webhook"
 
+  autoload :Benefit, "polar/resources/benefit"
+  autoload :BenefitGrant, "polar/resources/benefit_grant"
   autoload :Customer, "polar/resources/customer"
   autoload :CustomerSession, "polar/resources/customer_session"
   autoload :Discount, "polar/resources/discount"
   autoload :Checkout, "polar/resources/checkout"
   autoload :LicenseKey, "polar/resources/license_key"
+  autoload :Order, "polar/resources/order"
   autoload :Organization, "polar/resources/organization"
   autoload :Product, "polar/resources/product"
+  autoload :Refund, "polar/resources/refund"
+  autoload :Subscription, "polar/resources/subscription"
   autoload :User, "polar/resources/user"
 
   class << self

data/lib/standard_webhooks.rb

@@ -0,0 +1,137 @@
+# frozen_string_literal: true
+
+require "json"
+require "openssl"
+require "base64"
+require "uri"
+
+# Constant time string comparison, for fixed length strings.
+# Code borrowed from ActiveSupport
+# https://github.com/rails/rails/blob/75ac626c4e21129d8296d4206a1960563cc3d4aa/activesupport/lib/active_support/security_utils.rb#L33
+#
+# The values compared should be of fixed length, such as strings
+# that have already been processed by HMAC. Raises in case of length mismatch.
+module StandardWebhooks
+  if defined?(OpenSSL.fixed_length_secure_compare)
+    def fixed_length_secure_compare(a, b)
+      OpenSSL.fixed_length_secure_compare(a, b)
+    end
+  else
+    def fixed_length_secure_compare(a, b)
+      raise ArgumentError, "string length mismatch." unless a.bytesize == b.bytesize
+
+      l = a.unpack("C#{a.bytesize}")
+
+      res = 0
+      b.each_byte { |byte| res |= byte ^ l.shift }
+      res == 0
+    end
+  end
+
+  module_function :fixed_length_secure_compare
+
+  # Secure string comparison for strings of variable length.
+  #
+  # While a timing attack would not be able to discern the content of
+  # a secret compared via secure_compare, it is possible to determine
+  # the secret length. This should be considered when using secure_compare
+  # to compare weak, short secrets to user input.
+  def secure_compare(a, b)
+    a.length == b.length && fixed_length_secure_compare(a, b)
+  end
+
+  module_function :secure_compare
+
+  class StandardWebhooksError < StandardError
+    attr_reader :message
+
+    def initialize(message = nil)
+      @message = message
+    end
+  end
+
+  class WebhookVerificationError < StandardWebhooksError
+  end
+
+  class WebhookSigningError < StandardWebhooksError
+  end
+
+  class Webhook
+    def self.new_using_raw_bytes(secret)
+      self.new(secret.pack("C*").force_encoding("UTF-8"))
+    end
+
+    def initialize(secret)
+      if secret.start_with?(SECRET_PREFIX)
+        secret = secret[SECRET_PREFIX.length..-1]
+      end
+
+      @secret = Base64.decode64(secret)
+    end
+
+    def verify(payload, headers)
+      msg_id = headers["webhook-id"]
+      msg_signature = headers["webhook-signature"]
+      msg_timestamp = headers["webhook-timestamp"]
+
+      if !msg_signature || !msg_id || !msg_timestamp
+        raise WebhookVerificationError, "Missing required headers"
+      end
+
+      verify_timestamp(msg_timestamp)
+
+      _, signature = sign(msg_id, msg_timestamp, payload).split(",", 2)
+
+      passed_signatures = msg_signature.split(" ")
+
+      passed_signatures.each do |versioned_signature|
+        version, expected_signature = versioned_signature.split(",", 2)
+
+        if version != "v1"
+          next
+        end
+
+        if ::StandardWebhooks::secure_compare(signature, expected_signature)
+          return JSON.parse(payload, symbolize_names: true)
+        end
+      end
+
+      raise WebhookVerificationError, "No matching signature found"
+    end
+
+    def sign(msg_id, timestamp, payload)
+      begin
+        now = Integer(timestamp)
+      rescue
+        raise WebhookSigningError, "Invalid timestamp"
+      end
+
+      to_sign = "#{msg_id}.#{timestamp}.#{payload}"
+      signature = Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.new("sha256"), @secret, to_sign)).strip
+
+      return "v1,#{signature}"
+    end
+
+    private
+
+    SECRET_PREFIX = "whsec_"
+    TOLERANCE = 5 * 60
+
+    def verify_timestamp(timestamp_header)
+      begin
+        now = Integer(Time.now)
+        timestamp = Integer(timestamp_header)
+      rescue
+        raise WebhookVerificationError, "Invalid Signature Headers"
+      end
+
+      if timestamp < (now - TOLERANCE)
+        raise WebhookVerificationError, "Message timestamp too old"
+      end
+
+      if timestamp > (now + TOLERANCE)
+        raise WebhookVerificationError, "Message timestamp too new"
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: polar_sh
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
-original_platform: ''
 authors:
 - Mikkel Malmberg
 bindir: bin
 cert_chain: []
-date: 2024-12-20 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: http
@@ -24,6 +23,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '5'
+- !ruby/object:Gem::Dependency
+  name: ostruct
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.6'
 description: Interact with the Polar API
 email:
 - mikkel@brnbw.com
@@ -40,17 +53,24 @@ files:
 - lib/polar/configuration.rb
 - lib/polar/error.rb
 - lib/polar/resource.rb
+- lib/polar/resources/benefit.rb
+- lib/polar/resources/benefit_grant.rb
 - lib/polar/resources/checkout.rb
 - lib/polar/resources/checkout/custom.rb
 - lib/polar/resources/customer.rb
 - lib/polar/resources/customer_session.rb
 - lib/polar/resources/discount.rb
 - lib/polar/resources/license_key.rb
+- lib/polar/resources/order.rb
 - lib/polar/resources/organization.rb
 - lib/polar/resources/product.rb
+- lib/polar/resources/refund.rb
+- lib/polar/resources/subscription.rb
 - lib/polar/resources/user.rb
 - lib/polar/version.rb
+- lib/polar/webhook.rb
 - lib/polar_sh.rb
+- lib/standard_webhooks.rb
 homepage: https://github.com/mikker/polar_sh
 licenses:
 - MIT
@@ -72,7 +92,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.1
+rubygems_version: 3.6.9
 specification_version: 4
 summary: API client for Polar.sh
 test_files: []