RubyGems - svix - Versions diffs - 0.16.0 → 0.21.0 - Mend

svix 0.16.0 → 0.21.0

Files changed (7) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e86e21aa5b9f2ed4b01ce230acd8a58e019d705d9d7c0ee560f0286e4b657e38
-  data.tar.gz: d832d554e538c75a51eda9d4e6486f4f7fbfec8de271b308499f06d2b5038766
+  metadata.gz: 8651d1d4cf9fa7f6dd65198a111215eaa22ec98bdbe8df8e003b701c15fc7d4f
+  data.tar.gz: 2053ab0dd50d3c0136de7e83d92edfe21f87e73c663c318fab208c0101345776
 SHA512:
-  metadata.gz: 553701612ddad362213e53389d5f582b22350daaee86bfdc9a81e5d7fade59959c38f0becdff166acfecebbbfca218583d34df2ae85e8d05116e007f1dfb232c
-  data.tar.gz: 4b959ceeca4f3847062c3f14d25445ac808504d153a67e5ed65c37d2e3b8482cdb509238f7232f2b87597c4b331b1d485415bb1146de114c59563f3fa57d741b
+  metadata.gz: 06c768854e7f5a34cacd15de32092a2ca1b7d18fde8ad07f00e5eeefb84d6b26926e574c70db168060974eae77fd820d80a395d9a6eae5aecaf905b067c18cb6
+  data.tar.gz: a19267a68e6472ec9f966a5b1a7441c64c648fdc9202b0cf5c0427407761a3582ba8eb7fb85f63cd1e7c10f3ecc26e5b7df766ae1414012db011078ffc01ef00

data/Gemfile.lock CHANGED Viewed

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    svix (0.16.0)
+    svix (0.21.0)
 GEM
   remote: https://rubygems.org/

data/src/svix/errors.rb CHANGED Viewed

@@ -11,4 +11,7 @@ module Svix
     class WebhookVerificationError < SvixError
     end
-end
+    class WebhookSigningError < SvixError
+    end
+end

data/src/svix/version.rb CHANGED Viewed

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 module Svix
-  VERSION = "0.16.0"
+  VERSION = "0.21.0"
 end

data/src/svix/webhook.rb CHANGED Viewed

@@ -2,7 +2,12 @@
 module Svix
     class Webhook
         def initialize(secret)
+            if secret.start_with?(SECRET_PREFIX)
+                secret = secret[SECRET_PREFIX.length..-1]
+            end
             @secret = Base64.decode64(secret)
         end
@@ -14,12 +19,13 @@ module Svix
                 raise WebhookVerificationError, "Missing required headers"
             end
-            toSign = "#{msgId}.#{msgTimestamp}.#{payload}"
-            signature = Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), @secret, toSign)).strip()
+            verify_timestamp(msgTimestamp)
+            _, signature = sign(msgId, msgTimestamp, payload).split(",", 2)
             passedSignatures = msgSignature.split(" ")
             passedSignatures.each do |versionedSignature|
-                version, expectedSignature = versionedSignature.split(',', 2)
+                version, expectedSignature = versionedSignature.split(",", 2)
                 if version != "v1"
                     next
                 end
@@ -29,5 +35,36 @@ module Svix
             end
             raise WebhookVerificationError, "No matching signature found"
         end
+        def sign(msgId, timestamp, payload)
+            begin
+                now = Integer(timestamp)
+            rescue
+                raise WebhookSigningError, "Invalid timestamp"
+            end
+            toSign = "#{msgId}.#{timestamp}.#{payload}"
+            signature = Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.new("sha256"), @secret, toSign)).strip
+            return "v1,#{signature}"
+        end
+        private
+        SECRET_PREFIX = "whsec_"
+        TOLERANCE = 5 * 60
+        def verify_timestamp(timestampHeader)
+            begin
+                now = Integer(Time.now)
+                timestamp = Integer(timestampHeader)
+            rescue
+                raise WebhookVerificationError, "Invalid Signature Headers"
+            end
+            if timestamp < (now - TOLERANCE)
+                raise WebhookVerificationError, "Message timestamp too old"
+            end
+            if timestamp > (now + TOLERANCE)
+                raise WebhookVerificationError, "Message timestamp too new"
+            end
+        end
     end
-end
+end

data/svix.gemspec CHANGED Viewed

@@ -21,8 +21,8 @@ Gem::Specification.new do |spec|
     spec.metadata["allowed_push_host"] = "https://rubygems.org"
     spec.metadata["homepage_uri"] = spec.homepage
-    spec.metadata["source_code_uri"] = "https://github.com/svixhq/svix-libs"
-    spec.metadata["changelog_uri"] = "https://github.com/svixhq/svix-libs/blob/main/ChangeLog.md"
+    spec.metadata["source_code_uri"] = "https://github.com/svix/svix-libs"
+    spec.metadata["changelog_uri"] = "https://github.com/svix/svix-libs/blob/main/ChangeLog.md"
   else
     raise "RubyGems 2.0 or newer is required to protect against " \
       "public gem pushes."

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: svix
 version: !ruby/object:Gem::Version
-  version: 0.16.0
+  version: 0.21.0
 platform: ruby
 authors:
 - Svix
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-06-08 00:00:00.000000000 Z
+date: 2021-07-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -76,8 +76,8 @@ licenses:
 metadata:
   allowed_push_host: https://rubygems.org
   homepage_uri: https://www.svix.com
-  source_code_uri: https://github.com/svixhq/svix-libs
-  changelog_uri: https://github.com/svixhq/svix-libs/blob/main/ChangeLog.md
+  source_code_uri: https://github.com/svix/svix-libs
+  changelog_uri: https://github.com/svix/svix-libs/blob/main/ChangeLog.md
 post_install_message:
 rdoc_options: []
 require_paths: