redsys-ruby 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: f2c59de6ca071087c65956f103290027fc275a3a91c95e09c0fda848880277d3
+  data.tar.gz: ac727ac835a38599f63a17f5e5914cda495e7eae09a8235af5fc0201690aed45
+SHA512:
+  metadata.gz: 528545461443b6f03d37ebe624fd96157eb5c609f505fa96f03d33f4e4cdd6bf7d3c05b174c82e9202b48cf6c72f0c05d4c6890e8a937542b44b1afad675ecf5
+  data.tar.gz: 79b53403ef78056c8905a6998d211369358422bacad3e3215c2f952436d8f80d794c869129c22c2c537258e11a2b691979d6cd9b83082e7f5079a4a37a52c48a

data/.jules/palette.md

@@ -0,0 +1,7 @@
+## 2025-05-15 - Redsys Payment Trust Markers
+**Learning:** Adding trust markers like "Secure Payment" notices and lock icons is crucial for UX in financial transactions, even in demo or redirect pages. It reduces user anxiety before being redirected to an external gateway.
+**Action:** Always include trust signals (lock icons, security text) near payment-related CTA buttons.
+
+## 2025-05-15 - Immediate Feedback on Redirect
+**Learning:** For forms that redirect to an external site (like Redsys), providing immediate feedback (disabling button, changing text to "Processing...") is essential to prevent multiple clicks and reassure the user that the redirection is in progress.
+**Action:** Use `data-disable-with` or a simple `onsubmit` handler for all redirect-heavy forms.

data/.jules/sentinel.md

@@ -0,0 +1,24 @@
+## 2025-05-24 - [Secure Configuration Handling]
+**Vulnerability:** The configuration UI was unprotected, used plain text fields for secrets, and lacked input validation. It also used `YAML.load_file` which is potentially vulnerable to RCE.
+**Learning:** For Rails Engines providing a configuration UI, it's crucial to mask secrets, validate inputs strictly, and ensure the UI is not accidentally exposed at the root route.
+**Prevention:** Use `password_field` for secrets, `YAML.safe_load_file` for configuration loading, and move sensitive routes away from the engine root.
+
+## 2025-05-25 - [Insecure Storage of Secrets in Configuration File]
+**Vulnerability:** Secrets like `merchant_key` were being written to a plain YAML file (`config/redsys.yml`) in the application directory.
+**Learning:** Secrets should never be persisted in plain text files within the application directory. They should be managed via environment variables or encrypted credentials.
+**Prevention:** Exclude secrets from YAML serialization and prioritize loading from `ENV` or `Rails.application.credentials`.
+
+## 2026-02-19 - [Unauthenticated Configuration Endpoint]
+**Vulnerability:** The configuration UI in the Rails engine was accessible to unauthenticated users because it inherited directly from ActionController::Base and lacked any authentication filters.
+**Learning:** Rails engines must provide a mechanism for host applications to secure engine-provided controllers, typically by making the parent controller configurable and providing authentication hooks.
+**Prevention:** Implement a configurable 'parent_controller' and 'before_action' hooks in the engine's base controller to allow integration with the host application's authentication system.
+
+## 2025-05-26 - [Insecure Random Order ID Generation]
+**Vulnerability:** The gem used Ruby's insecure `rand` method with a small range (5 digits) to generate default order IDs, leading to high collision risk and lack of cryptographic security.
+**Learning:** For identifiers in payment systems, cryptographically secure random number generators (like `SecureRandom`) should be used, and the range should be maximized to prevent collisions.
+**Prevention:** Use `SecureRandom` instead of `rand` and utilize the full length allowed by the payment gateway (12 digits for Redsys) to ensure uniqueness and security.
+
+## 2026-02-19 - [Sensitive Data Exposure in View]
+**Vulnerability:** Rendering sensitive secrets in the 'value' attribute of a password input field allowed the cleartext secret to be retrieved from the page source.
+**Learning:** Even when using `password_field`, Rails may render the `value` attribute if explicitly provided, exposing the secret in the HTML source. Sensitive fields should never have their values pre-filled in the HTML.
+**Prevention:** Remove the `value` attribute from sensitive input fields to ensure they remain empty in the rendered HTML, relying on user input for updates.

data/README.md

@@ -0,0 +1,116 @@
+# RedsysRuby
+
+A Ruby gem for making payments with Redsys using the HMAC-SHA256 signature algorithm.
+
+**Note:** This documentation and some parts of the code use Spanish terms because Redsys is a payment provider that operates in Spain.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'redsys-ruby'
+```
+
+And then execute:
+
+    $ bundle install
+
+Or install it yourself as:
+
+    $ gem install redsys-ruby
+
+### Rails Integration
+
+This gem includes a Rails Engine that provides a configuration interface, payment helpers, and premium success/failure pages.
+
+#### 1. Mount the Engine
+
+Add the following to your `config/routes.rb`:
+
+```ruby
+mount RedsysRuby::Engine => "/redsys_ruby"
+```
+
+#### 2. Configuration
+
+For security, it is highly recommended to manage your secrets (like `merchant_key`) using **environment variables** or **Rails encrypted credentials**.
+
+##### Using Environment Variables (Recommended)
+
+Set the following environment variables in your system or using a gem like `dotenv`:
+
+* `REDSYS_MERCHANT_KEY`: Your 256-bit merchant key (Base64 encoded).
+* `REDSYS_MERCHANT_CODE`: Your 9-digit merchant code (FUC).
+* `REDSYS_TERMINAL`: Your 3-digit terminal number.
+* `REDSYS_ENVIRONMENT`: `test` or `production`.
+
+##### Using Rails Credentials
+
+You can also add these values to your encrypted credentials:
+
+```yaml
+# bin/rails credentials:edit
+redsys:
+  merchant_key: "your_merchant_key_base64"
+  merchant_code: "999008881"
+  terminal: "001"
+  environment: "test"
+```
+
+##### Using the Configuration UI
+
+Alternatively, you can configure non-sensitive settings through the provided UI at `/redsys_ruby/configuration/edit`. Note that for security reasons, the `merchant_key` will **not** be saved to the `config/redsys.yml` file and should be provided via one of the methods above.
+
+**Security Note:** By default, the configuration UI is unauthenticated. You should secure it by configuring an authentication method in an initializer:
+
+```ruby
+# config/initializers/redsys.rb
+RedsysRuby.configure do |config|
+  # Specify the parent controller for the engine (default: "ActionController::Base")
+  # Use your application's base controller to inherit its authentication and layout
+  config.parent_controller = "ApplicationController"
+
+  # Or provide a custom authentication block
+  config.before_configuration_action = -> {
+    # e.g., using Devise:
+    # authenticate_user!
+    # redirect_to root_path unless current_user.admin?
+  }
+end
+```
+
+#### 3. Using the Payment Form Helper
+
+In your views, you can use the `redsys_payment_form` helper to generate a payment form that redirects to Redsys:
+
+```erb
+<%= redsys_payment_form(amount: 10.50, order: "123456789012", description: "Product description") %>
+```
+
+The helper automatically includes:
+- **Ds_SignatureVersion**
+- **Ds_MerchantParameters**
+- **Ds_Signature**
+- **Ds_Merchant_UrlOK**: Points to the built-in premium success page.
+- **Ds_Merchant_UrlKO**: Points to the built-in premium failure page.
+
+### Premium Success & Failure Pages
+
+The gem provides beautifully designed `Ok` and `KO` pages that match modern aesthetics, featuring:
+- Inter typography.
+- Smooth gradients and micro-animations.
+- Responsive design.
+- Backdrop blur effects.
+
+---
+
+### Low-level Ruby Usage (Non-Rails)
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `bundle exec rspec` to run the tests.
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/smallpush/redsys-ruby.

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/app/controllers/redsys_ruby/application_controller.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module RedsysRuby
+  class ApplicationController < RedsysRuby.parent_controller.constantize
+    layout "application"
+  end
+end

data/app/controllers/redsys_ruby/configurations_controller.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module RedsysRuby
+  class ConfigurationsController < ApplicationController
+    before_action :authenticate_configuration!
+
+    def edit
+      @configuration = Configuration.load
+    end
+
+    def update
+      @configuration = Configuration.new(configuration_params)
+      if @configuration.save
+        redirect_to edit_configuration_path, notice: "Configuración actualizada correctamente."
+      else
+        render :edit, status: :unprocessable_entity
+      end
+    end
+
+    private
+
+    def authenticate_configuration!
+      if RedsysRuby.before_configuration_action.is_a?(Proc)
+        instance_exec(&RedsysRuby.before_configuration_action)
+      end
+    end
+
+    def configuration_params
+      params.require(:configuration).permit(:merchant_key, :merchant_code, :terminal, :environment)
+    end
+  end
+end

data/app/controllers/redsys_ruby/payments_controller.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module RedsysRuby
+  class PaymentsController < ApplicationController
+    def index
+      @order_id = Time.now.to_i.to_s[-12..-1] # Redsys order must be max 12 chars
+      @amount = 10.50
+    end
+
+    def ok
+    end
+
+    def ko
+    end
+  end
+end

data/app/helpers/redsys_ruby/payments_helper.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module RedsysRuby
+  module PaymentsHelper
+    def redsys_payment_form(amount:, order: nil, description: nil, button_text: "Pagar con Redsys", button_class: "redsys-submit")
+      config = Configuration.load
+      tpv = TPV.new(merchant_key: config.merchant_key)
+
+      order ||= SecureRandom.random_number(10**12).to_s.rjust(12, "0")
+
+      params = {
+        Ds_Merchant_Amount: (amount.to_f * 100).to_i.to_s,
+        Ds_Merchant_Order: order.to_s,
+        Ds_Merchant_MerchantCode: config.merchant_code,
+        Ds_Merchant_Currency: "978", # EUR
+        Ds_Merchant_TransactionType: "0", # Autorización
+        Ds_Merchant_Terminal: config.terminal,
+        Ds_Merchant_MerchantURL: "", # Should be configured or passed
+        Ds_Merchant_UrlOK: RedsysRuby::Engine.routes.url_helpers.ok_payments_url(host: request.base_url),
+        Ds_Merchant_UrlKO: RedsysRuby::Engine.routes.url_helpers.ko_payments_url(host: request.base_url)
+      }
+
+      params[:Ds_Merchant_ProductDescription] = description if description.present?
+
+      payment_data = tpv.payment_data(params)
+      url = config.environment == "production" ? TPV::PRODUCTION_URL : TPV::TEST_URL
+
+      form_with url: url, method: :post, local: true, html: { id: "redsys_payment_form" } do |f|
+        concat f.hidden_field :Ds_SignatureVersion, value: payment_data[:Ds_SignatureVersion]
+        concat f.hidden_field :Ds_MerchantParameters, value: payment_data[:Ds_MerchantParameters]
+        concat f.hidden_field :Ds_Signature, value: payment_data[:Ds_Signature]
+        concat f.submit button_text,
+                     class: button_class,
+                     aria: { label: "#{button_text} - Redirigir a pasarela de pago segura" },
+                     data: { disable_with: "Procesando..." }
+      end
+    end
+  end
+end

data/app/models/redsys_ruby/configuration.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+module RedsysRuby
+  class Configuration
+    include ActiveModel::Model
+    include ActiveModel::Validations
+
+    attr_accessor :merchant_key, :merchant_code, :terminal, :environment
+
+    validates :merchant_key, :merchant_code, :terminal, :environment, presence: true
+    validates :merchant_code, format: { with: /\A\d{9}\z/, message: "debe tener exactamente 9 dígitos" }
+    validates :terminal, format: { with: /\A\d{3}\z/, message: "debe tener exactamente 3 dígitos" }
+    validates :environment, inclusion: { in: %w[test production], message: "debe ser 'test' o 'production'" }
+
+    CONFIG_PATH = Rails.root.join("config", "redsys.yml")
+
+    def self.load
+      config = {}
+      if File.exist?(CONFIG_PATH)
+        config = (YAML.safe_load_file(CONFIG_PATH, aliases: true) || {})[Rails.env] || {}
+      end
+
+      creds = Rails.application.credentials.redsys rescue {}
+
+      new(
+        merchant_key: ENV["REDSYS_MERCHANT_KEY"] || creds[:merchant_key] || config["merchant_key"],
+        merchant_code: ENV["REDSYS_MERCHANT_CODE"] || creds[:merchant_code] || config["merchant_code"],
+        terminal: ENV["REDSYS_TERMINAL"] || creds[:terminal] || config["terminal"],
+        environment: ENV["REDSYS_ENVIRONMENT"] || creds[:environment] || config["environment"] || "test"
+      )
+    end
+
+    def merchant_key_from_secure_source?
+      ENV["REDSYS_MERCHANT_KEY"].present? || (Rails.application.credentials.redsys&.dig(:merchant_key).present? rescue false)
+    end
+
+    def save
+      return false unless valid?
+
+      config_data = {}
+      if File.exist?(CONFIG_PATH)
+        config_data = YAML.safe_load_file(CONFIG_PATH, aliases: true) || {}
+      end
+
+      # We exclude merchant_key from the YAML file for security reasons.
+      # Secrets should be managed via environment variables or encrypted credentials.
+      data_to_save = attributes.except("merchant_key")
+
+      config_data[Rails.env] = data_to_save
+      File.write(CONFIG_PATH, config_data.to_yaml)
+      true
+    end
+
+    def attributes
+      {
+        "merchant_key" => merchant_key,
+        "merchant_code" => merchant_code,
+        "terminal" => terminal,
+        "environment" => environment
+      }
+    end
+  end
+end

data/app/views/redsys_ruby/configurations/edit.html.erb

@@ -0,0 +1,152 @@
+<style>
+  .redsys-config-container {
+    max-width: 600px;
+    margin: 40px auto;
+    padding: 30px;
+    background: rgba(255, 255, 255, 0.95);
+    border-radius: 16px;
+    box-shadow: 0 10px 30px rgba(0, 0, 0, 0.1);
+    backdrop-filter: blur(10px);
+    font-family: 'Inter', system-ui, -apple-system, sans-serif;
+  }
+
+  .redsys-header {
+    text-align: center;
+    margin-bottom: 30px;
+  }
+
+  .redsys-header h1 {
+    color: #1a1a1a;
+    font-size: 24px;
+    font-weight: 700;
+    margin-bottom: 8px;
+  }
+
+  .redsys-header p {
+    color: #666;
+    font-size: 14px;
+  }
+
+  .redsys-form-group {
+    margin-bottom: 20px;
+  }
+
+  .redsys-label {
+    display: block;
+    font-size: 14px;
+    font-weight: 600;
+    color: #444;
+    margin-bottom: 8px;
+  }
+
+  .redsys-input, .redsys-select {
+    width: 100%;
+    padding: 12px 16px;
+    border: 1px solid #ddd;
+    border-radius: 8px;
+    font-size: 15px;
+    transition: all 0.3s ease;
+    box-sizing: border-box;
+  }
+
+  .redsys-input:focus, .redsys-select:focus {
+    outline: none;
+    border-color: #3b82f6;
+    box-shadow: 0 0 0 4px rgba(59, 130, 246, 0.1);
+  }
+
+  .redsys-submit {
+    width: 100%;
+    padding: 14px;
+    background: linear-gradient(135deg, #3b82f6 0%, #2563eb 100%);
+    color: white;
+    border: none;
+    border-radius: 8px;
+    font-size: 16px;
+    font-weight: 600;
+    cursor: pointer;
+    transition: transform 0.2s, box-shadow 0.2s;
+    margin-top: 10px;
+  }
+
+  .redsys-submit:hover {
+    transform: translateY(-1px);
+    box-shadow: 0 4px 12px rgba(37, 99, 235, 0.3);
+  }
+
+  .redsys-notice {
+    padding: 12px 16px;
+    background: #ecfdf5;
+    color: #065f46;
+    border-radius: 8px;
+    margin-bottom: 20px;
+    font-size: 14px;
+  }
+
+  .redsys-errors {
+    padding: 12px 16px;
+    background: #fef2f2;
+    color: #991b1b;
+    border-radius: 8px;
+    margin-bottom: 20px;
+    font-size: 14px;
+  }
+</style>
+
+<div class="redsys-config-container">
+  <div class="redsys-header">
+    <h1>Configurar Redsys</h1>
+    <p>Introduce tus credenciales del TPVVirtual</p>
+  </div>
+
+  <% if flash[:notice] %>
+    <div class="redsys-notice">
+      <%= flash[:notice] %>
+    </div>
+  <% end %>
+
+  <% if @configuration.errors.any? %>
+    <div class="redsys-errors">
+      <ul>
+        <% @configuration.errors.full_messages.each do |msg| %>
+          <li><%= msg %></li>
+        <% end %>
+      </ul>
+    </div>
+  <% end %>
+
+  <%= form_with model: @configuration, url: configuration_path, method: :patch, local: true do |f| %>
+    <div class="redsys-form-group">
+      <%= f.label :merchant_key, "Merchant Key (FUC Key)", class: "redsys-label" %>
+      <% if @configuration.merchant_key_from_secure_source? %>
+        <div class="redsys-input" style="background: #ecfdf5; color: #065f46; border-color: #10b981; display: flex; align-items: center; gap: 8px;">
+          <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="20 6 9 17 4 12"></polyline></svg>
+          Configurada mediante variable de entorno o credenciales
+        </div>
+      <% else %>
+        <%= f.password_field :merchant_key, class: "redsys-input", placeholder: "Ej: sq7H5YzEBhyUTLe6BArsth4i..." %>
+        <p style="font-size: 12px; color: #b91c1c; margin-top: 8px; display: flex; align-items: flex-start; gap: 6px;">
+          <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="flex-shrink: 0; margin-top: 2px;"><circle cx="12" cy="12" r="10"></circle><line x1="12" y1="8" x2="12" y2="12"></line><line x1="12" y1="16" x2="12.01" y2="16"></line></svg>
+          <span>Por seguridad, se recomienda configurar esta clave mediante la variable de entorno <code>REDSYS_MERCHANT_KEY</code> o en las credenciales encriptadas de Rails.</span>
+        </p>
+      <% end %>
+    </div>
+
+    <div class="redsys-form-group">
+      <%= f.label :merchant_code, "Código de Comercio (FUC)", class: "redsys-label" %>
+      <%= f.text_field :merchant_code, class: "redsys-input", placeholder: "Ej: 999008881" %>
+    </div>
+
+    <div class="redsys-form-group">
+      <%= f.label :terminal, "Terminal", class: "redsys-label" %>
+      <%= f.text_field :terminal, class: "redsys-input", placeholder: "Ej: 001" %>
+    </div>
+
+    <div class="redsys-form-group">
+      <%= f.label :environment, "Entorno", class: "redsys-label" %>
+      <%= f.select :environment, [["Pruebas", "test"], ["Producción", "production"]], {}, class: "redsys-select" %>
+    </div>
+
+    <%= f.submit "Guardar Configuración", class: "redsys-submit" %>
+  <% end %>
+</div>

data/app/views/redsys_ruby/payments/index.html.erb

@@ -0,0 +1,77 @@
+<style>
+  .redsys-demo-container {
+    max-width: 600px;
+    margin: 40px auto;
+    padding: 30px;
+    background: white;
+    border-radius: 16px;
+    box-shadow: 0 10px 30px rgba(0, 0, 0, 0.1);
+    text-align: center;
+    font-family: 'Inter', system-ui, sans-serif;
+  }
+  .redsys-amount {
+    font-size: 48px;
+    font-weight: 800;
+    color: #1a1a1a;
+    margin: 20px 0;
+  }
+  .redsys-submit {
+    display: inline-block;
+    padding: 14px 28px;
+    background: #2563eb;
+    color: white;
+    text-decoration: none;
+    border-radius: 8px;
+    font-weight: 600;
+    border: none;
+    cursor: pointer;
+    transition: all 0.2s;
+  }
+  .redsys-submit:hover {
+    background: #1d4ed8;
+    transform: translateY(-1px);
+    box-shadow: 0 4px 12px rgba(37, 99, 235, 0.2);
+  }
+  .redsys-submit:active {
+    transform: translateY(0) scale(0.98);
+  }
+  .redsys-submit:focus-visible {
+    outline: 2px solid #2563eb;
+    outline-offset: 2px;
+  }
+  .redsys-secure-notice {
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    gap: 8px;
+    margin-top: 16px;
+    color: #059669;
+    font-size: 14px;
+    font-weight: 500;
+  }
+</style>
+
+<div class="redsys-demo-container">
+  <h1>Prueba de Pago</h1>
+  <p>Estás a punto de realizar un pago de prueba con Redsys.</p>
+
+  <div class="redsys-amount" aria-label="Importe a pagar: <%= number_to_currency(@amount, unit: '€') %>">
+    <%= number_to_currency(@amount, unit: "€") %>
+  </div>
+
+  <p>ID de Pedido: <strong><%= @order_id %></strong></p>
+
+  <%= redsys_payment_form(amount: @amount, order: @order_id, description: "Compra de prueba") %>
+
+  <div class="redsys-secure-notice">
+    <svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true">
+      <rect x="3" y="11" width="18" height="11" rx="2" ry="2"></rect>
+      <path d="M7 11V7a5 5 0 0 1 10 0v4"></path>
+    </svg>
+    <span>Pago 100% Seguro</span>
+  </div>
+
+  <p style="margin-top: 24px; font-size: 13px; color: #64748b; line-height: 1.5;">
+    Al hacer clic, serás redirigido de forma segura al entorno de <strong><%= RedsysRuby::Configuration.load.environment %></strong> de Redsys para completar tu transacción.
+  </p>
+</div>

data/app/views/redsys_ruby/payments/ko.html.erb

@@ -0,0 +1,124 @@
+<style>
+  @import url('https://fonts.googleapis.com/css2?family=Inter:wght@400;600;700&display=swap');
+
+  .redsys-payment-container {
+    font-family: 'Inter', system-ui, -apple-system, sans-serif;
+    min-height: 80vh;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    background: radial-gradient(circle at top right, #fff1f2, #f1f5f9);
+    padding: 2rem;
+  }
+
+  .redsys-card {
+    background: rgba(255, 255, 255, 0.8);
+    backdrop-filter: blur(12px);
+    -webkit-backdrop-filter: blur(12px);
+    border-radius: 24px;
+    padding: 3rem;
+    box-shadow: 0 20px 40px rgba(0, 0, 0, 0.05);
+    max-width: 480px;
+    width: 100%;
+    text-align: center;
+    border: 1px solid rgba(255, 255, 255, 0.3);
+    animation: slideUp 0.6s cubic-bezier(0.16, 1, 0.3, 1);
+  }
+
+  @keyframes slideUp {
+    from { opacity: 0; transform: translateY(20px); }
+    to { opacity: 1; transform: translateY(0); }
+  }
+
+  .error-icon-wrapper {
+    width: 80px;
+    height: 80px;
+    background: #fef2f2;
+    border-radius: 50%;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    margin: 0 auto 1.5rem;
+    animation: scaleIn 0.5s cubic-bezier(0.34, 1.56, 0.64, 1) 0.2s both;
+  }
+
+  @keyframes scaleIn {
+    from { transform: scale(0); }
+    to { transform: scale(1); }
+  }
+
+  .error-icon {
+    color: #ef4444;
+    width: 40px;
+    height: 40px;
+  }
+
+  .redsys-title {
+    color: #1e293b;
+    font-size: 1.875rem;
+    font-weight: 700;
+    margin-bottom: 1rem;
+    letter-spacing: -0.025em;
+  }
+
+  .redsys-description {
+    color: #64748b;
+    font-size: 1.125rem;
+    line-height: 1.6;
+    margin-bottom: 2rem;
+  }
+
+  .redsys-actions {
+    display: flex;
+    flex-direction: column;
+    gap: 1rem;
+  }
+
+  .redsys-button {
+    display: inline-block;
+    background: #0f172a;
+    color: white;
+    padding: 0.875rem 2rem;
+    border-radius: 12px;
+    font-weight: 600;
+    text-decoration: none;
+    transition: all 0.2s ease;
+    box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1), 0 2px 4px -1px rgba(0, 0, 0, 0.06);
+  }
+
+  .redsys-button:hover {
+    transform: translateY(-2px);
+    background: #1e293b;
+    box-shadow: 0 10px 15px -3px rgba(0, 0, 0, 0.1), 0 4px 6px -2px rgba(0, 0, 0, 0.05);
+  }
+
+  .redsys-button.secondary {
+    background: transparent;
+    color: #475569;
+    border: 1px solid #e2e8f0;
+    box-shadow: none;
+  }
+
+  .redsys-button.secondary:hover {
+    background: #f8fafc;
+    border-color: #cbd5e1;
+  }
+</style>
+
+<div class="redsys-payment-container">
+  <div class="redsys-card">
+    <div class="error-icon-wrapper">
+      <svg class="error-icon" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
+        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2.5" d="M6 18L18 6M6 6l12 12"></path>
+      </svg>
+    </div>
+    <h1 class="redsys-title">Pago Cancelado</h1>
+    <p class="redsys-description">
+      No se ha podido completar la transacción. Por favor, revisa los datos de tu tarjeta o inténtalo de nuevo más tarde.
+    </p>
+    <div class="redsys-actions">
+      <a href="/redsys_ruby/payments" class="redsys-button">Intentar de nuevo</a>
+      <a href="/" class="redsys-button secondary">Volver al inicio</a>
+    </div>
+  </div>
+</div>

data/app/views/redsys_ruby/payments/ok.html.erb

@@ -0,0 +1,107 @@
+<style>
+  @import url('https://fonts.googleapis.com/css2?family=Inter:wght@400;600;700&display=swap');
+
+  .redsys-payment-container {
+    font-family: 'Inter', system-ui, -apple-system, sans-serif;
+    min-height: 80vh;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    background: radial-gradient(circle at top right, #f8fafc, #f1f5f9);
+    padding: 2rem;
+  }
+
+  .redsys-card {
+    background: rgba(255, 255, 255, 0.8);
+    backdrop-filter: blur(12px);
+    -webkit-backdrop-filter: blur(12px);
+    border-radius: 24px;
+    padding: 3rem;
+    box-shadow: 0 20px 40px rgba(0, 0, 0, 0.05);
+    max-width: 480px;
+    width: 100%;
+    text-align: center;
+    border: 1px solid rgba(255, 255, 255, 0.3);
+    animation: slideUp 0.6s cubic-bezier(0.16, 1, 0.3, 1);
+  }
+
+  @keyframes slideUp {
+    from { opacity: 0; transform: translateY(20px); }
+    to { opacity: 1; transform: translateY(0); }
+  }
+
+  .success-icon-wrapper {
+    width: 80px;
+    height: 80px;
+    background: #ecfdf5;
+    border-radius: 50%;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    margin: 0 auto 1.5rem;
+    animation: scaleIn 0.5s cubic-bezier(0.34, 1.56, 0.64, 1) 0.2s both;
+  }
+
+  @keyframes scaleIn {
+    from { transform: scale(0); }
+    to { transform: scale(1); }
+  }
+
+  .success-icon {
+    color: #10b981;
+    width: 40px;
+    height: 40px;
+  }
+
+  .redsys-title {
+    color: #1e293b;
+    font-size: 1.875rem;
+    font-weight: 700;
+    margin-bottom: 1rem;
+    letter-spacing: -0.025em;
+  }
+
+  .redsys-description {
+    color: #64748b;
+    font-size: 1.125rem;
+    line-height: 1.6;
+    margin-bottom: 2rem;
+  }
+
+  .redsys-button {
+    display: inline-block;
+    background: #0f172a;
+    color: white;
+    padding: 0.875rem 2rem;
+    border-radius: 12px;
+    font-weight: 600;
+    text-decoration: none;
+    transition: all 0.2s ease;
+    box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1), 0 2px 4px -1px rgba(0, 0, 0, 0.06);
+  }
+
+  .redsys-button:hover {
+    transform: translateY(-2px);
+    background: #1e293b;
+    box-shadow: 0 10px 15px -3px rgba(0, 0, 0, 0.1), 0 4px 6px -2px rgba(0, 0, 0, 0.05);
+  }
+
+  .redsys-button:active {
+    transform: translateY(0);
+  }
+</style>
+
+<div class="redsys-payment-container">
+  <div class="redsys-card">
+    <div class="success-icon-wrapper">
+      <svg class="success-icon" fill="none" stroke="currentColor" viewBox="0 0 24 24" xmlns="http://www.w3.org/2000/svg">
+        <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2.5" d="M5 13l4 4L19 7"></path>
+      </svg>
+    </div>
+    <h1 class="redsys-title">¡Pago Completado!</h1>
+    <p class="redsys-description">
+      Tu transacción se ha procesado correctamente. En breve recibirás un correo electrónico con los detalles de tu pedido.
+    </p>
+    <a href="/" class="redsys-button">Volver al inicio</a>
+  </div>
+</div>

data/config/routes.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+RedsysRuby::Engine.routes.draw do
+  resource :configuration, only: [:edit, :update]
+  resources :payments, only: [:index] do
+    collection do
+      get :ok
+      get :ko
+    end
+  end
+  root to: "payments#index"
+end

data/lib/redsys-ruby/engine.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module RedsysRuby
+  class Engine < ::Rails::Engine
+    isolate_namespace RedsysRuby
+  end
+end

data/lib/redsys-ruby/tpv.rb

@@ -0,0 +1,104 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "base64"
+require "json"
+
+module RedsysRuby
+  class TPV
+    PRODUCTION_URL = "https://sis.redsys.es/sis/realizarPago"
+    TEST_URL = "https://sis-t.redsys.es:25443/sis/realizarPago"
+
+    attr_reader :merchant_key
+
+    def initialize(merchant_key:)
+      @merchant_key = merchant_key
+    end
+
+    def encrypt_3des(order, key)
+      cipher = OpenSSL::Cipher.new("DES-EDE3-CBC")
+      cipher.encrypt
+      cipher.key = key[0..23]
+      cipher.iv = "\0" * 8
+      cipher.padding = 0
+
+      # Redsys uses 8-byte blocks. The order must be padded with null bytes to a multiple of 8.
+      padded_order = order.ljust((order.length + 7) / 8 * 8, "\0")
+      cipher.update(padded_order) + cipher.final
+    end
+
+    def generate_merchant_parameters(params)
+      json_params = params.to_json
+      Base64.strict_encode64(json_params)
+    end
+
+    def generate_merchant_signature(order, merchant_parameters_64)
+      digest = calculate_digest(order, merchant_parameters_64)
+      Base64.strict_encode64(digest)
+    end
+
+    def payment_data(params)
+      params = params.transform_keys(&:to_s)
+      merchant_parameters_64 = generate_merchant_parameters(params)
+      order = params["Ds_Merchant_Order"]
+      
+      {
+        Ds_SignatureVersion: "HMAC_SHA256_V1",
+        Ds_MerchantParameters: merchant_parameters_64,
+        Ds_Signature: generate_merchant_signature(order.to_s, merchant_parameters_64)
+      }
+    end
+
+    def generate_merchant_signature_notif(merchant_parameters_64)
+      # For notifications, we need to extract the order from the decoded parameters.
+      decoded_params = decode_parameters(merchant_parameters_64)
+      order = decoded_params["Ds_Order"] || decoded_params["Ds_Merchant_Order"]
+      
+      raise ArgumentError, "Order is missing in merchant parameters" if order.nil?
+
+      digest = calculate_digest(order, merchant_parameters_64)
+      Base64.urlsafe_encode64(digest)
+    end
+
+    def valid_signature?(merchant_parameters_64, signature)
+      expected_signature = generate_merchant_signature_notif(merchant_parameters_64)
+      # We should use a constant-time comparison here for security
+      secure_compare(expected_signature, signature)
+    end
+
+    def decode_parameters(merchant_parameters_64)
+      JSON.parse(Base64.decode64(merchant_parameters_64))
+    end
+
+    private
+
+    # Encrypts the order number with the merchant key using 3DES
+    def encrypt_3des(order, key)
+      cipher = OpenSSL::Cipher.new("DES-EDE3-CBC")
+      cipher.encrypt
+      cipher.key = key[0..23]
+      cipher.iv = "\0" * 8
+      cipher.padding = 0
+
+      padded_order = order.ljust((order.length + 7) / 8 * 8, "\0")
+      cipher.update(padded_order) + cipher.final
+    end
+
+    def calculate_digest(order, merchant_parameters_64)
+      # 1. Decode the merchant key
+      decoded_key = Base64.decode64(@merchant_key)
+
+      # 2. Derive the key for this order
+      derived_key = encrypt_3des(order, decoded_key)
+
+      # 3. Calculate HMAC-SHA256
+      OpenSSL::HMAC.digest(OpenSSL::Digest.new("sha256"), derived_key, merchant_parameters_64)
+    end
+
+    def secure_compare(a, b)
+      return false if a.empty? || b.empty? || a.bytesize != b.bytesize
+
+      OpenSSL.fixed_length_secure_compare(a, b)
+    end
+  end
+end

data/lib/redsys-ruby/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module RedsysRuby
+  VERSION = "0.1.0"
+end

data/lib/redsys-ruby.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require "securerandom"
+require_relative "redsys-ruby/version"
+require_relative "redsys-ruby/tpv"
+require_relative "redsys-ruby/engine" if defined?(Rails)
+
+module RedsysRuby
+  class Error < StandardError; end
+
+  class << self
+    def configure
+      yield self
+    end
+
+    attr_accessor :parent_controller
+    attr_accessor :before_configuration_action
+  end
+
+  # Set defaults
+  self.parent_controller = "ActionController::Base"
+  self.before_configuration_action = nil
+end

data/sig/redsys_ruby.rbs

@@ -0,0 +1,4 @@
+module RedsysRuby
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

metadata

@@ -0,0 +1,77 @@
+--- !ruby/object:Gem::Specification
+name: redsys-ruby
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- google-labs-jules[bot]
+autorequire:
+bindir: exe
+cert_chain: []
+date: 2026-02-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+description: Implement Redsys HMAC SHA256 signature and payment parameters handling.
+email:
+- 161369871+google-labs-jules[bot]@users.noreply.github.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".jules/palette.md"
+- ".jules/sentinel.md"
+- README.md
+- Rakefile
+- app/controllers/redsys_ruby/application_controller.rb
+- app/controllers/redsys_ruby/configurations_controller.rb
+- app/controllers/redsys_ruby/payments_controller.rb
+- app/helpers/redsys_ruby/payments_helper.rb
+- app/models/redsys_ruby/configuration.rb
+- app/views/redsys_ruby/configurations/edit.html.erb
+- app/views/redsys_ruby/payments/index.html.erb
+- app/views/redsys_ruby/payments/ko.html.erb
+- app/views/redsys_ruby/payments/ok.html.erb
+- config/routes.rb
+- lib/redsys-ruby.rb
+- lib/redsys-ruby/engine.rb
+- lib/redsys-ruby/tpv.rb
+- lib/redsys-ruby/version.rb
+- sig/redsys_ruby.rbs
+homepage: https://github.com/google-labs/redsys-ruby
+licenses: []
+metadata:
+  homepage_uri: https://github.com/google-labs/redsys-ruby
+  source_code_uri: https://github.com/google-labs/redsys-ruby
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.4.20
+signing_key:
+specification_version: 4
+summary: A Ruby gem for making payments with Redsys.
+test_files: []