tosspayments2-rails 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 007d24a406cc641580afd61afc507157d5014d51c14103d8b6fdf8cdf6abd2a2
-  data.tar.gz: 798fe8448f2d7eb4b99e55b497689fa9782aff09e167d514e0de8d03cc6540da
+  metadata.gz: fd88d1af83f21b3f11746c4825425fd7c9bfee9aa793bd0c6adfde623b25a8c2
+  data.tar.gz: 780b41fdccead7e7b6e26beb5f0ad701f756cc19036c7a713aa1b6c978cbbe19
 SHA512:
-  metadata.gz: 83a9e5874ec186b065e019f503a98d25534ae47abc4d7d41397b32b83a29d3e2f62cb0510f8db3a1fb8e566d86a35db13b17325923d59ce840eca22f19b8ebd7
-  data.tar.gz: ee531d730c66f0834fb0d37759759f3183dc617f6a2952d975d9cf781157a4194b1f9ce141a9aa0fd6b73ca5424480e0e054b4ead452054b1a66e61ad5e35728
+  metadata.gz: 8804a4ec3d7f980fca6cdba867592f73a763ec933bf963c90bb52e30837be9b59fc4e0cabf320e4915da4eaa9e8fc475e52419620db1565a52d0a714e85eafac
+  data.tar.gz: fe9a02353d00025acb304f67ff7b6e90d2b5bedd6e69760921be3352eb9e06608ce2f073cf24934191550d123561f0102a754f0de0e169dd73a576f06c7d97c2

data/.github/workflows/ci.yml

@@ -0,0 +1,26 @@
+name: CI
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        ruby: ['3.2', '3.3']
+    steps:
+      - uses: actions/checkout@v4
+      - uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+      - name: Run RSpec
+        run: bundle exec rspec --format progress
+      - name: Build YARD Docs
+        run: bundle exec yard doc --no-progress
+      - name: Lint (Rubocop if present)
+        if: hashFiles('**/.rubocop.yml') != ''
+        run: bundle exec rubocop

data/.rspec

@@ -0,0 +1,2 @@
+--require spec_helper
+--format documentation

data/.rubocop.yml

@@ -0,0 +1,29 @@
+AllCops:
+  TargetRubyVersion: 3.2
+  NewCops: enable
+  Exclude:
+    - 'spec/spec_helper.rb'
+    - 'bin/**/*'
+    - 'vendor/**/*'
+
+Layout/LineLength:
+  Max: 120
+
+Metrics/BlockLength:
+  Exclude:
+    - 'spec/**/*'
+
+Metrics/MethodLength:
+  Max: 20
+
+Style/Documentation:
+  Enabled: false
+
+Style/StringLiterals:
+  EnforcedStyle: single_quotes
+
+Style/FrozenStringLiteralComment:
+  Enabled: true
+
+Lint/MissingSuper:
+  Enabled: true

data/.yardopts

@@ -0,0 +1,3 @@
+--markup markdown
+--hide-void-return
+lib/**/*.rb

data/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 _No changes yet._
 
+## [0.3.0] - 2025-08-21
+### Changed
+- General maintenance and improvements for release process
+
 ## [0.2.0] - 2025-08-19
 ### Added
 - WebhookVerifier HMAC (SHA256 + Base64) verification

data/LICENSE.txt

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/RELEASE_NOTES_v0.2.0.md

@@ -0,0 +1,53 @@
+# Release 0.2.0
+
+Tag: v0.2.0  (2025-08-19)
+
+## Highlights
+- New WebhookVerifier with HMAC-SHA256 + Base64 signature checking
+- HTTP client retries with backoff & request ID extraction
+- CallbackVerifier predicate rename to `match_amount?`
+- Predicate rename for `WebhookVerifier#verify?`
+- Clean RuboCop baseline & refactored controller template
+- Development dependencies relocated from gemspec to Gemfile
+
+## Added
+- Webhook verification helper
+- Retry/backoff logic in client
+- Request ID extraction (`X-Request-Id`) surfaced in `APIError`
+
+## Changed
+- Method renames for predicate semantics (`match_amount?`, `verify?`)
+- Reduced complexity in generator payments controller
+- Style & lint conformance; added quality and release rake tasks
+
+## Fixed
+- Secure constant-time compare naming clarity
+- Gem build now excludes packaged `.gem` artifacts & `pkg/`
+
+## Upgrade Notes
+- Replace any `CallbackVerifier#verify!` calls with `match_amount?`
+- Replace any `WebhookVerifier#verify` calls with `verify?`
+- Regenerate initializer/controller via `rails generate tosspayments2:install` if you want updated template.
+
+```ruby
+# Old
+verifier.verify(body, sig)
+# New
+verifier.verify?(body, sig)
+```
+
+```ruby
+# Old
+CallbackVerifier.new.verify!(order_id: oid, amount: amt) { ... }
+# New
+CallbackVerifier.new.match_amount?(order_id: oid, amount: amt) { ... }
+```
+
+## Publishing Steps (for maintainer)
+1. Ensure environment variable RUBYGEMS_API_KEY is configured (or `~/.gem/credentials`).
+2. (Optional) Run: `bundle exec rake release:check`
+3. Build: `bundle exec rake build`
+4. Push gem: `gem push pkg/tosspayments2-rails-0.2.0.gem`
+5. Create GitHub Release using this file as the body.
+
+SHA: PLACEHOLDER (update with commit SHA of tag)

data/Rakefile

@@ -1,4 +1,43 @@
 # frozen_string_literal: true
 
 require 'bundler/gem_tasks'
-task default: %i[]
+
+begin
+  require 'rspec/core/rake_task'
+  RSpec::Core::RakeTask.new(:spec)
+rescue LoadError
+  warn 'RSpec not available; spec task skipped'
+end
+
+begin
+  require 'rubocop/rake_task'
+  RuboCop::RakeTask.new(:rubocop)
+rescue LoadError
+  warn 'RuboCop not available; rubocop task skipped'
+end
+
+desc 'Generate YARD docs'
+task :yard do
+  sh 'bundle exec yard doc'
+end
+
+desc 'Run specs and RuboCop'
+task quality: %i[rubocop spec]
+
+namespace :release do
+  desc 'Pre-release checks (clean git, specs, rubocop, changelog entry)'
+  task :check do
+    version_file = File.join(__dir__, 'lib', 'tosspayments2', 'rails', 'version.rb')
+    version = File.read(version_file)[/VERSION = '([^']+)'/, 1]
+    abort 'Uncommitted changes present' unless `git status --porcelain`.strip.empty?
+    sh 'bundle exec rubocop'
+    sh 'bundle exec rspec'
+    changelog = File.read('CHANGELOG.md')
+    abort 'CHANGELOG missing current version section' unless changelog.include?("[#{version}]")
+    puts "Release checks passed for v#{version}"
+  end
+end
+
+Rake::Task['release'].enhance(['release:check']) if Rake::Task.task_defined?('release')
+
+task default: %i[quality]

data/lib/generators/tosspayments2/install/install_generator.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require 'rails/generators'
+module Tosspayments2
+  module Generators
+    class InstallGenerator < ::Rails::Generators::Base
+      source_root File.expand_path('templates', __dir__)
+      class_option :controller, type: :boolean, default: false, desc: 'Generate example payments controller'
+
+      def create_initializer
+        template 'initializer.rb', 'config/initializers/tosspayments2.rb'
+      end
+
+      def create_controller
+        return unless options[:controller]
+
+        template 'payments_controller.rb', 'app/controllers/payments_controller.rb'
+      end
+    end
+  end
+end

data/lib/generators/tosspayments2/install/templates/initializer.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+# TossPayments2 configuration
+Tosspayments2::Rails.configure do |c|
+  c.client_key = ENV.fetch('TOSSPAYMENTS_CLIENT_KEY', nil)
+  c.secret_key = ENV.fetch('TOSSPAYMENTS_SECRET_KEY', nil)
+  # c.widget_version = 'v2'
+  # c.api_base = 'https://api.tosspayments.com'
+end

data/lib/generators/tosspayments2/install/templates/payments_controller.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+class PaymentsController < ApplicationController
+  include Tosspayments2::Rails::ControllerConcern
+
+  def success
+    load_params
+    verify_amount!
+    @payment = toss_client.confirm(payment_key: @payment_key, order_id: @order_id, amount: @amount)
+  rescue Tosspayments2::Rails::VerificationError, Tosspayments2::Rails::APIError => e
+    Rails.logger.error("Payment error: #{e.class} #{e.message}")
+    redirect_to root_path, alert: '결제 승인 실패'
+  end
+
+  def fail
+    flash[:alert] = "결제 실패: #{params[:message] || params[:errorMessage]}"
+    redirect_to root_path
+  end
+
+  private
+
+  def load_params
+    @payment_key = params[:paymentKey]
+    @order_id    = params[:orderId]
+    @amount      = params[:amount].to_i
+  end
+
+  def verify_amount!
+    Tosspayments2::Rails::CallbackVerifier.new.match_amount?(order_id: @order_id, amount: @amount) do |_oid|
+      # Lookup the expected amount for the given order id in your domain model.
+      # Example:
+      #   Order.find_by!(uuid: _oid).amount
+      # For demo purposes we return a fixed integer:
+      1000
+    end
+  end
+end

data/lib/tosspayments2/rails/callback_verifier.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Tosspayments2
+  module Rails
+    class CallbackVerifier
+      def match_amount?(order_id:, amount:, &block)
+        raise ArgumentError, 'block required' unless block
+
+        expected = block.call(order_id)
+        unless expected.to_i == amount.to_i
+          raise ::Tosspayments2::Rails::VerificationError,
+                "Amount mismatch expected=#{expected} got=#{amount}"
+        end
+
+        true
+      end
+    end
+  end
+end

data/lib/tosspayments2/rails/errors.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Tosspayments2
+  module Rails
+    class Error < StandardError; end
+    class ConfigurationError < Error; end
+    class VerificationError < Error; end
+
+    class APIError < Error
+      attr_reader :status, :body, :code, :request_id
+
+      def initialize(message, status:, body: nil, request_id: nil)
+        super(message)
+        @status = status
+        @body = body
+        @code = (body && body[:code]) || (body && body[:errorCode])
+        @request_id = request_id || (body && body[:request_id])
+      end
+    end
+  end
+end

data/lib/tosspayments2/rails/version.rb

@@ -2,6 +2,6 @@
 
 module Tosspayments2
   module Rails
-    VERSION = '0.2.0'
+    VERSION = '0.3.0'
   end
 end

data/spec/client_spec.rb

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'webmock/rspec'
+
+RSpec.describe Tosspayments2::Rails::Client do
+  before do
+    Tosspayments2::Rails.configure do |c|
+      c.secret_key = 'sk_test_123'
+    end
+  end
+
+  let(:client) { described_class.new }
+
+  it 'raises ConfigurationError without secret key' do
+    Tosspayments2::Rails.configure { |c| c.secret_key = nil }
+    expect { described_class.new }.to raise_error(Tosspayments2::Rails::ConfigurationError)
+  end
+
+  it 'performs confirm success' do
+    body_hash = { paymentKey: 'pk', orderId: 'o1', status: 'DONE' }
+    stub = stub_request(:post, 'https://api.tosspayments.com/v1/payments/confirm')
+    stub.to_return(status: 200, body: body_hash.to_json, headers: { 'Content-Type' => 'application/json' })
+    response = client.confirm(payment_key: 'pk', order_id: 'o1', amount: 1000)
+    expect(response[:status]).to eq('DONE')
+    expect(stub).to have_been_requested
+  end
+
+  it 'raises APIError on failure' do
+    stub_request(:post, 'https://api.tosspayments.com/v1/payments/confirm').to_return(
+      status: 400,
+      body: { code: 'INVALID', message: 'Bad' }.to_json,
+      headers: { 'Content-Type' => 'application/json' }
+    )
+    expect { client.confirm(payment_key: 'pk', order_id: 'o1', amount: 1000) }
+      .to raise_error(Tosspayments2::Rails::APIError) { |e| expect(e.code).to eq('INVALID') }
+  end
+end

data/spec/engine_spec.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'rails'
+require 'action_controller'
+require_relative '../lib/tosspayments2/rails'
+require 'tosspayments2/rails/engine'
+
+RSpec.describe Tosspayments2::Rails::Engine do
+  it 'isolates namespace' do
+    expect(described_class.isolated?).to be true
+  end
+
+  it 'loads configuration via initializer' do
+    Tosspayments2::Rails.configure do |c|
+      c.client_key = 'ck'
+      c.secret_key = 'sk'
+    end
+    expect(Tosspayments2::Rails.configuration.client_key).to eq('ck')
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+require 'simplecov'
+SimpleCov.start do
+  enable_coverage :branch
+  add_filter '/spec/'
+end
+
+require 'rspec'
+require_relative '../lib/tosspayments2/rails'
+
+RSpec.configure do |config|
+  config.expect_with :rspec do |c|
+    c.syntax = :expect
+  end
+end

data/spec/tosspayments2/callback_verifier_spec.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Tosspayments2::Rails::CallbackVerifier do
+  let(:verifier) { described_class.new }
+
+  it 'returns true when amount matches' do
+    expect(
+      verifier.match_amount?(order_id: 'o1', amount: 100) { |id| id == 'o1' ? 100 : 0 }
+    ).to be true
+  end
+
+  it 'raises VerificationError when mismatch' do
+    expect do
+      verifier.match_amount?(order_id: 'o1', amount: 150) { |_id| 100 }
+    end.to raise_error(Tosspayments2::Rails::VerificationError)
+  end
+end

data/spec/tosspayments2/client_cancel_spec.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'webmock/rspec'
+
+RSpec.describe Tosspayments2::Rails::Client do
+  let(:secret) { 'sk_test_x' }
+  let(:client) { described_class.new(secret_key: secret, api_base: 'https://api.tosspayments.com') }
+
+  before do
+    stub_request(:post, 'https://api.tosspayments.com/v1/payments/confirm')
+  end
+
+  describe '#cancel' do
+    it 'cancels successfully (full cancel)' do
+      cancel_body = { paymentKey: 'pay_123', status: 'CANCELED' }
+      stub = stub_request(:post, 'https://api.tosspayments.com/v1/payments/pay_123/cancel')
+      stub.to_return(status: 200, body: cancel_body.to_json, headers: { 'Content-Type' => 'application/json' })
+      response = client.cancel(payment_key: 'pay_123', cancel_reason: 'test')
+      expect(response[:status]).to eq('CANCELED')
+      expect(stub).to have_been_requested
+    end
+
+    it 'raises APIError on failure' do
+      error_body = { code: 'INVALID', message: 'bad' }
+      stub = stub_request(:post, 'https://api.tosspayments.com/v1/payments/pay_456/cancel')
+      stub.to_return(status: 400, body: error_body.to_json, headers: { 'Content-Type' => 'application/json' })
+      expect { client.cancel(payment_key: 'pay_456', cancel_reason: 'test') }
+        .to raise_error(Tosspayments2::Rails::APIError) { |e| expect(e.body[:code]).to eq('INVALID') }
+      expect(stub).to have_been_requested
+    end
+  end
+end

data/spec/tosspayments2/script_tag_helper_spec.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'action_view'
+require 'action_controller'
+
+RSpec.describe Tosspayments2::Rails::ScriptTagHelper do
+  let(:view) do
+    paths = ActionView::PathSet.new
+    lookup_context = ActionView::LookupContext.new(paths)
+    assigns = {}.freeze
+    controller = ActionController::Base.new
+    klass = Class.new(ActionView::Base) do
+      include Tosspayments2::Rails::ScriptTagHelper
+    end
+    klass.new(lookup_context, assigns, controller)
+  end
+
+  before do
+    Tosspayments2::Rails.configure do |c|
+      c.client_key = 'ck_test_x'
+      c.secret_key = 'sk_test_x'
+    end
+  end
+
+  it 'renders script tag with versioned src' do
+    html = view.tosspayments_script_tag
+    expect(html).to include('<script')
+    expect(html).to include('https://js.tosspayments.com/v2/standard')
+  end
+end

data/spec/tosspayments2/webhook_verifier_spec.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Tosspayments2::Rails::WebhookVerifier do
+  let(:secret) { 'sk_test_webhook' }
+  let(:body) { '{"event":"payment.approved","data":{"id":"123"}}' }
+  let(:verifier) { described_class.new(secret_key: secret) }
+
+  it 'verifies correct signature' do
+    sig = verifier.compute_signature(body)
+    expect(verifier.verify?(body, sig)).to be true
+  end
+
+  it 'rejects invalid signature' do
+    expect(verifier.verify?(body, 'invalid')).to be false
+  end
+
+  it 'rejects when missing data' do
+    expect(verifier.verify?(nil, nil)).to be false
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: tosspayments2-rails
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Lucius Choi
@@ -46,21 +46,40 @@ files:
 - ".claude/agents/kfc/spec-test.md"
 - ".claude/settings/kfc-settings.json"
 - ".claude/system-prompts/spec-workflow-starter.md"
+- ".github/workflows/ci.yml"
+- ".rspec"
+- ".rubocop.yml"
 - ".vscode/mcp.json"
+- ".yardopts"
 - CHANGELOG.md
+- LICENSE.txt
 - README.md
+- RELEASE_NOTES_v0.2.0.md
 - Rakefile
+- lib/generators/tosspayments2/install/install_generator.rb
+- lib/generators/tosspayments2/install/templates/initializer.rb
+- lib/generators/tosspayments2/install/templates/payments_controller.rb
 - lib/tosspayments2/rails.rb
+- lib/tosspayments2/rails/callback_verifier.rb
 - lib/tosspayments2/rails/client.rb
 - lib/tosspayments2/rails/configuration.rb
 - lib/tosspayments2/rails/controller_concern.rb
 - lib/tosspayments2/rails/engine.rb
+- lib/tosspayments2/rails/errors.rb
 - lib/tosspayments2/rails/script_tag_helper.rb
 - lib/tosspayments2/rails/version.rb
 - lib/tosspayments2/rails/webhook_verifier.rb
 - sig/tosspayments2/rails.rbs
+- spec/client_spec.rb
+- spec/engine_spec.rb
+- spec/spec_helper.rb
+- spec/tosspayments2/callback_verifier_spec.rb
+- spec/tosspayments2/client_cancel_spec.rb
+- spec/tosspayments2/script_tag_helper_spec.rb
+- spec/tosspayments2/webhook_verifier_spec.rb
 homepage: https://github.com/luciuschoi/tosspayments2-rails
-licenses: []
+licenses:
+- MIT
 metadata:
   homepage_uri: https://github.com/luciuschoi/tosspayments2-rails
   source_code_uri: https://github.com/luciuschoi/tosspayments2-rails