RubyGems - svix - Versions diffs - 0.16.0 → 0.21.0 - Mend

svix 0.16.0 → 0.21.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e86e21aa5b9f2ed4b01ce230acd8a58e019d705d9d7c0ee560f0286e4b657e38
-  data.tar.gz: d832d554e538c75a51eda9d4e6486f4f7fbfec8de271b308499f06d2b5038766
+  metadata.gz: 8651d1d4cf9fa7f6dd65198a111215eaa22ec98bdbe8df8e003b701c15fc7d4f
+  data.tar.gz: 2053ab0dd50d3c0136de7e83d92edfe21f87e73c663c318fab208c0101345776
 SHA512:
-  metadata.gz: 553701612ddad362213e53389d5f582b22350daaee86bfdc9a81e5d7fade59959c38f0becdff166acfecebbbfca218583d34df2ae85e8d05116e007f1dfb232c
-  data.tar.gz: 4b959ceeca4f3847062c3f14d25445ac808504d153a67e5ed65c37d2e3b8482cdb509238f7232f2b87597c4b331b1d485415bb1146de114c59563f3fa57d741b
+  metadata.gz: 06c768854e7f5a34cacd15de32092a2ca1b7d18fde8ad07f00e5eeefb84d6b26926e574c70db168060974eae77fd820d80a395d9a6eae5aecaf905b067c18cb6
+  data.tar.gz: a19267a68e6472ec9f966a5b1a7441c64c648fdc9202b0cf5c0427407761a3582ba8eb7fb85f63cd1e7c10f3ecc26e5b7df766ae1414012db011078ffc01ef00

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    svix (0.16.0)
+    svix (0.21.0)
 GEM
   remote: https://rubygems.org/

data/src/svix/errors.rb CHANGED Viewed

@@ -11,4 +11,7 @@ module Svix
     class WebhookVerificationError < SvixError
     end
-end
+    class WebhookSigningError < SvixError
+    end
+end

data/src/svix/version.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Svix
-  VERSION = "0.16.0"
+  VERSION = "0.21.0"
 end

data/src/svix/webhook.rb CHANGED Viewed

@@ -2,7 +2,12 @@
 module Svix
     class Webhook
         def initialize(secret)
+            if secret.start_with?(SECRET_PREFIX)
+                secret = secret[SECRET_PREFIX.length..-1]
+            end
             @secret = Base64.decode64(secret)
         end
@@ -14,12 +19,13 @@ module Svix
                 raise WebhookVerificationError, "Missing required headers"
             end
-            toSign = "#{msgId}.#{msgTimestamp}.#{payload}"
-            signature = Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), @secret, toSign)).strip()
+            verify_timestamp(msgTimestamp)
+            _, signature = sign(msgId, msgTimestamp, payload).split(",", 2)
             passedSignatures = msgSignature.split(" ")
             passedSignatures.each do |versionedSignature|
-                version, expectedSignature = versionedSignature.split(',', 2)
+                version, expectedSignature = versionedSignature.split(",", 2)
                 if version != "v1"
                     next
                 end
@@ -29,5 +35,36 @@ module Svix
             end
             raise WebhookVerificationError, "No matching signature found"
         end
+        def sign(msgId, timestamp, payload)
+            begin
+                now = Integer(timestamp)
+            rescue
+                raise WebhookSigningError, "Invalid timestamp"
+            end
+            toSign = "#{msgId}.#{timestamp}.#{payload}"
+            signature = Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.new("sha256"), @secret, toSign)).strip
+            return "v1,#{signature}"
+        end
+        private
+        SECRET_PREFIX = "whsec_"
+        TOLERANCE = 5 * 60
+        def verify_timestamp(timestampHeader)
+            begin
+                now = Integer(Time.now)
+                timestamp = Integer(timestampHeader)
+            rescue
+                raise WebhookVerificationError, "Invalid Signature Headers"
+            end
+            if timestamp < (now - TOLERANCE)
+                raise WebhookVerificationError, "Message timestamp too old"
+            end
+            if timestamp > (now + TOLERANCE)
+                raise WebhookVerificationError, "Message timestamp too new"
+            end
+        end
     end
-end
+end

data/svix.gemspec CHANGED Viewed

@@ -21,8 +21,8 @@ Gem::Specification.new do |spec|
     spec.metadata["allowed_push_host"] = "https://rubygems.org"
     spec.metadata["homepage_uri"] = spec.homepage
-    spec.metadata["source_code_uri"] = "https://github.com/svixhq/svix-libs"
-    spec.metadata["changelog_uri"] = "https://github.com/svixhq/svix-libs/blob/main/ChangeLog.md"
+    spec.metadata["source_code_uri"] = "https://github.com/svix/svix-libs"
+    spec.metadata["changelog_uri"] = "https://github.com/svix/svix-libs/blob/main/ChangeLog.md"
   else
     raise "RubyGems 2.0 or newer is required to protect against " \
       "public gem pushes."

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: svix
 version: !ruby/object:Gem::Version
-  version: 0.16.0
+  version: 0.21.0
 platform: ruby
 authors:
 - Svix
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-06-08 00:00:00.000000000 Z
+date: 2021-07-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -76,8 +76,8 @@ licenses:
 metadata:
   allowed_push_host: https://rubygems.org
   homepage_uri: https://www.svix.com
-  source_code_uri: https://github.com/svixhq/svix-libs
-  changelog_uri: https://github.com/svixhq/svix-libs/blob/main/ChangeLog.md
+  source_code_uri: https://github.com/svix/svix-libs
+  changelog_uri: https://github.com/svix/svix-libs/blob/main/ChangeLog.md
 post_install_message:
 rdoc_options: []
 require_paths: