tosspayments2-rails 0.2.0

data/README.md

@@ -0,0 +1,272 @@
+# tosspayments2-rails
+
+English section follows Korean (Scroll down for English usage guide).
+
+Rails 7 & 8용 TossPayments v2 (통합 SDK / 결제위젯) 간편 연동 지원 젬.
+
+* View helper (`tosspayments_script_tag`) 로 SDK `<script>` 주입
+* 환경설정 (`Tosspayments2::Rails.configure`) 으로 client/secret 키 관리
+* 서버사이드 결제 승인(confirm) & 취소(cancel) API 래퍼 `Tosspayments2::Rails::Client`
+* Controller concern (`Tosspayments2::Rails::ControllerConcern`) 으로 `toss_client` 제공
+* (Placeholder) Webhook 검증 클래스 (향후 사양 반영 예정)
+
+## 설치 (Installation)
+
+Gemfile:
+```ruby
+gem 'tosspayments2-rails'
+```
+설치 후:
+```bash
+bundle install
+```
+
+아직 Rubygems 공개 전이라면 Git 소스 사용:
+```ruby
+gem 'tosspayments2-rails', git: 'https://github.com/luciuschoi/tosspayments2-rails'
+```
+
+## 초기 설정 (Configuration)
+`config/initializers/tosspayments2.rb` 생성:
+```ruby
+Tosspayments2::Rails.configure do |c|
+	c.client_key = ENV.fetch('TOSSPAYMENTS_CLIENT_KEY')
+	c.secret_key = ENV.fetch('TOSSPAYMENTS_SECRET_KEY')
+	# c.widget_version = 'v2' # 기본값
+	# c.api_base = 'https://api.tosspayments.com' # 기본값
+end
+```
+
+또는 `config/application.rb` 등에서:
+```ruby
+config.tosspayments2.client_key = ENV['TOSSPAYMENTS_CLIENT_KEY']
+config.tosspayments2.secret_key = ENV['TOSSPAYMENTS_SECRET_KEY']
+```
+
+## View에서 SDK 스크립트 추가
+레이아웃 (`app/views/layouts/application.html.erb`):
+```erb
+<head>
+	<%= csrf_meta_tags %>
+	<%= csp_meta_tag %>
+	<%= tosspayments_script_tag %>
+</head>
+```
+
+커스텀 버전/옵션:
+```erb
+<%= tosspayments_script_tag(async: true, defer: true, version: 'v2') %>
+```
+
+## 프론트엔드 예시 (Stimulus / ES module 없이 단순)
+```erb
+<div id="payment-methods"></div>
+<div id="agreement"></div>
+<button id="pay">결제하기</button>
+<script>
+	document.addEventListener('DOMContentLoaded', async () => {
+		const clientKey = '<%= ENV['TOSSPAYMENTS_CLIENT_KEY'] %>';
+		const customerKey = 'customer_123'; // 구매자 식별 값
+		const tosspayments = TossPayments(clientKey);
+		const widgets = tosspayments.widgets({ customerKey });
+성공 리다이렉트에서 요청 파라미터(`paymentKey`, `orderId`, `amount`)를 저장된 주문과 비교하려면 `CallbackVerifier` 사용:
+		await widgets.renderPaymentMethods({ selector: '#payment-methods' });
+		await widgets.renderAgreement({ selector: '#agreement' });
+
+		document.getElementById('pay').addEventListener('click', async () => {
+			try {
+				await widgets.requestPayment({
+					orderId: 'ORDER-' + Date.now(),
+					orderName: '테스트 주문',
+					customerName: '홍길동',
+					successUrl: '<%= success_payments_url %>',
+					failUrl: '<%= fail_payments_url %>'
+				});
+			} catch (e) {
+				console.error(e);
+			}
+		});
+	});
+ </script>
+```
+
+## 성공/실패 리다이렉트 컨트롤러 예시
+```ruby
+class PaymentsController < ApplicationController
+	include Tosspayments2::Rails::ControllerConcern
+
+	def success
+		# TossPayments에서 쿼리로 전달: paymentKey, orderId, amount
+		payment_key = params[:paymentKey]
+		order_id = params[:orderId]
+		amount = params[:amount].to_i
+		result = toss_client.confirm(payment_key: payment_key, order_id: order_id, amount: amount)
+		# 비즈니스 로직 (주문 상태 업데이트 등)
+		@payment = result
+		rescue Tosspayments2::Rails::APIError => e
+			logger.error("Toss confirm error status=#{e.status} code=#{e.code} body=#{e.body.inspect}")
+		redirect_to root_path, alert: '결제 승인 실패'
+	end
+
+	def fail
+		# errorCode, errorMessage 등 전달
+		flash[:alert] = "결제 실패: #{params[:message] || params[:errorMessage]}"
+		redirect_to root_path
+	end
+end
+```
+
+라우팅 (`config/routes.rb`):
+```ruby
+resource :payments, only: [] do
+	get :success
+	get :fail
+end
+```
+
+## 서버사이드 결제 취소
+```ruby
+toss_client.cancel(payment_key: payment.payment_key, cancel_reason: '고객요청')
+```
+
+## 콜백 파라미터 검증 (선택)
+```ruby
+verifier = Tosspayments2::Rails::CallbackVerifier.new
+verifier.match_amount?(order_id: params[:orderId], amount: params[:amount].to_i) do |order_id|
+	Order.find_by!(uuid: order_id).amount
+end
+```
+불일치 시 `Tosspayments2::Rails::VerificationError` 예외 발생.
+
+## Webhook 검증
+```ruby
+verifier = Tosspayments2::Rails::WebhookVerifier.new
+raw_body = request.raw_post
+signature = request.headers['X-TossPayments-Signature']
+unless verifier.verify?(raw_body, signature)
+	head :unauthorized and return
+end
+payload = JSON.parse(raw_body)
+# 이벤트 처리
+```
+
+## Rails Generator
+빠른 초기 세팅:
+```bash
+bin/rails generate tosspayments2:install
+```
+생성물:
+* `config/initializers/tosspayments2.rb`
+* 예시 컨트롤러 `app/controllers/payments_controller.rb` (옵션, 덮어쓰기 여부 질의)
+* 안내 주석
+
+## RSpec 설정 & 테스트 실행
+프로젝트 루트에서(엔진 개발 환경):
+```bash
+bundle exec rspec
+```
+커버리지 보고서는 `coverage/` (SimpleCov) 생성.
+
+## YARD 문서 생성
+```bash
+bundle exec yard doc
+open doc/index.html
+```
+
+## RBS (타입 시그니처)
+`sig/` 디렉토리에 기본 시그니처가 포함되어 있습니다. 필요 시 확장하세요.
+
+## 테스트 / 개발
+```bash
+bin/console
+```
+```ruby
+Tosspayments2::Rails.configure { |c| c.secret_key = 'sk_test_xxx' }
+client = Tosspayments2::Rails::Client.new(secret_key: 'sk_test_xxx')
+# Stub 네트워크 후 confirm 호출 등
+```
+
+## 라이선스
+MIT
+
+---
+
+## English
+
+### Overview
+Helpers & a lightweight engine to integrate TossPayments (Payment Widget v2) with Rails 7 & 8.
+
+Features:
+* Script tag helper (`toss_payments_script_tag` / actually `tosspayments_script_tag`)
+* Configuration block (`Tosspayments2::Rails.configure`)
+* Server-side confirm & cancel client
+* Controller concern for quick access (`toss_client`)
+* Callback parameter verification (order id & amount)
+* Webhook HMAC (SHA256 + Base64) verification helper
+
+### Installation
+```ruby
+gem 'tosspayments2-rails'
+```
+```bash
+bundle install
+```
+
+### Configuration
+```ruby
+Tosspayments2::Rails.configure do |c|
+	c.client_key = ENV['TOSSPAYMENTS_CLIENT_KEY']
+	c.secret_key = ENV['TOSSPAYMENTS_SECRET_KEY']
+end
+```
+
+### Script Tag
+In layout head:
+```erb
+<%= tosspayments_script_tag %>
+```
+
+### Success Redirect Controller
+```ruby
+class PaymentsController < ApplicationController
+	include Tosspayments2::Rails::ControllerConcern
+	def success
+		result = toss_client.confirm(payment_key: params[:paymentKey], order_id: params[:orderId], amount: params[:amount].to_i)
+		@payment = result
+	rescue Tosspayments2::Rails::APIError => e
+		Rails.logger.error("Confirm error status=#{e.status} code=#{e.code}")
+		redirect_to root_path, alert: 'Payment confirm failed'
+	end
+end
+```
+
+### Callback Verification
+```ruby
+Tosspayments2::Rails::CallbackVerifier.new.match_amount?(order_id: params[:orderId], amount: params[:amount].to_i) do |oid|
+	Order.find_by!(uuid: oid).amount
+end
+```
+
+### Webhook Verification
+```ruby
+verifier = Tosspayments2::Rails::WebhookVerifier.new
+if verifier.verify?(request.raw_post, request.headers['X-TossPayments-Signature'])
+	# process JSON.parse(request.raw_post)
+else
+	head :unauthorized
+end
+```
+
+### Cancel
+```ruby
+toss_client.cancel(payment_key: 'pay_123', cancel_reason: 'customer request')
+```
+
+### Tests
+Run RSpec: `bundle exec rspec`
+
+### License
+MIT
+
+## 기여
+PR / 이슈 환영: https://github.com/luciuschoi/tosspayments2-rails

data/Rakefile

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+task default: %i[]

data/lib/tosspayments2/rails/client.rb

@@ -0,0 +1,106 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'json'
+require 'base64'
+
+module Tosspayments2
+  module Rails
+    # Lightweight client for TossPayments REST endpoints (confirm/cancel only).
+    class Client
+      # @param secret_key [String,nil]
+      # @param api_base [String,nil]
+      # @param timeout [Integer,nil] network timeout seconds
+      # @param retries [Integer] transient network retry attempts
+      # @param backoff [Float] linear backoff base seconds
+      def initialize(secret_key: nil, api_base: nil, timeout: nil, retries: 2, backoff: 0.2)
+        cfg = ::Tosspayments2::Rails.configuration
+        @secret_key = secret_key || cfg.secret_key
+        @api_base = api_base || cfg.api_base
+        @timeout = timeout || cfg.timeout
+        @retries = retries
+        @backoff = backoff
+        return if @secret_key
+
+        raise ::Tosspayments2::Rails::ConfigurationError,
+              'secret_key required – configure with Tosspayments2::Rails.configure'
+      end
+
+      # Confirm payment after success redirect.
+      # @return [Hash] parsed JSON
+      # @raise [APIError]
+      def confirm(payment_key:, order_id:, amount:)
+        post_json('/v1/payments/confirm', {
+                    paymentKey: payment_key,
+                    orderId: order_id,
+                    amount: amount
+                  })
+      end
+
+      # Cancel payment (full or partial).
+      # @return [Hash]
+      # @raise [APIError]
+      def cancel(payment_key:, cancel_reason:, amount: nil)
+        body = { cancelReason: cancel_reason }
+        body[:cancelAmount] = amount if amount
+        post_json("/v1/payments/#{payment_key}/cancel", body)
+      end
+
+      private
+
+      def post_json(path, body)
+        uri = URI.join(@api_base, path)
+        req = Net::HTTP::Post.new(uri)
+        req['Authorization'] = "Basic #{Base64.strict_encode64("#{@secret_key}:")}"
+        req['Content-Type'] = 'application/json'
+        req.body = JSON.dump(body)
+        perform(uri, req)
+      end
+
+      def perform(uri, req)
+        attempts = 0
+        loop do
+          attempts += 1
+          res = execute_http(uri, req)
+          return parse_body(res) if res.is_a?(Net::HTTPSuccess)
+          raise build_api_error(res) unless retryable?(res, attempts)
+
+          sleep(@backoff * attempts)
+        end
+      rescue Timeout::Error, Errno::ECONNRESET, Errno::ETIMEDOUT, SocketError => e
+        retry if (attempts += 1) <= @retries
+        raise ::Tosspayments2::Rails::APIError.new("Network error: #{e.class}", status: 0, body: { error: e.message })
+      end
+
+      def execute_http(uri, req)
+        http = Net::HTTP.new(uri.host, uri.port)
+        http.use_ssl = uri.scheme == 'https'
+        http.read_timeout = @timeout
+        http.open_timeout = @timeout
+        http.request(req)
+      end
+
+      def parse_body(res)
+        JSON.parse(res.body, symbolize_names: true)
+      rescue JSON::ParserError
+        { raw: res.body }
+      end
+
+      def build_api_error(res)
+        parsed = parse_body(res)
+        request_id = res['X-Request-Id'] || res['X-Request-ID']
+        meta = parsed.is_a?(Hash) ? parsed : { raw: parsed }
+        ::Tosspayments2::Rails::APIError.new(
+          "TossPayments API error #{res.code}",
+          status: res.code.to_i,
+          body: meta,
+          request_id: request_id
+        )
+      end
+
+      def retryable?(res, attempts)
+        attempts <= @retries && res.code.to_i >= 500
+      end
+    end
+  end
+end

data/lib/tosspayments2/rails/configuration.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'singleton'
+require 'logger'
+
+module Tosspayments2
+  module Rails
+    class Configuration
+      include Singleton
+
+      attr_accessor :client_key, :secret_key, :widget_version, :api_base, :timeout, :logger
+
+      def initialize
+        @widget_version = 'v2'
+        @api_base = 'https://api.tosspayments.com'
+        @timeout = 10
+        @logger = defined?(::Rails) ? ::Rails.logger : Logger.new($stdout)
+      end
+    end
+
+    class << self
+      def configuration
+        Configuration.instance
+      end
+
+      def configure
+        yield(configuration) if block_given?
+        configuration
+      end
+    end
+  end
+end

data/lib/tosspayments2/rails/controller_concern.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+require 'active_support/concern'
+module Tosspayments2
+  module Rails
+    module ControllerConcern
+      extend ActiveSupport::Concern
+
+      private
+
+      def toss_client
+        @toss_client ||= ::Tosspayments2::Rails::Client.new
+      end
+    end
+  end
+end

data/lib/tosspayments2/rails/engine.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Tosspayments2
+  module Rails
+    # Rails engine for auto-loading helpers and configuration.
+    class Engine < ::Rails::Engine
+      isolate_namespace Tosspayments2::Rails
+
+      initializer 'tosspayments2.configure' do |app|
+        app.config.tosspayments2 ||= ActiveSupport::OrderedOptions.new
+        app_cfg = app.config.tosspayments2
+        ::Tosspayments2::Rails.configure do |c|
+          c.client_key ||= app_cfg.client_key || ENV.fetch('TOSSPAYMENTS_CLIENT_KEY', nil)
+          c.secret_key ||= app_cfg.secret_key || ENV.fetch('TOSSPAYMENTS_SECRET_KEY', nil)
+          c.widget_version ||= app_cfg.widget_version || 'v2'
+          c.api_base ||= app_cfg.api_base || 'https://api.tosspayments.com'
+          c.timeout ||= app_cfg.timeout || 10
+        end
+      end
+
+      initializer 'tosspayments2.helpers' do
+        ActiveSupport.on_load :action_view do
+          include ::Tosspayments2::Rails::ScriptTagHelper
+        end
+        ActiveSupport.on_load :action_controller do
+          helper ::Tosspayments2::Rails::ScriptTagHelper
+        end
+      end
+    end
+  end
+end

data/lib/tosspayments2/rails/script_tag_helper.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+require 'erb'
+
+module Tosspayments2
+  module Rails
+    module ScriptTagHelper
+      def tosspayments_script_tag(async: true, defer: true, version: nil)
+        v = version || ::Tosspayments2::Rails.configuration.widget_version
+        src = "https://js.tosspayments.com/#{v}/standard"
+        attrs = []
+        attrs << 'async' if async
+        attrs << 'defer' if defer
+        attrs << %(src="#{ERB::Util.html_escape(src)}")
+        "<script #{attrs.join(' ')}></script>".html_safe
+      end
+    end
+  end
+end

data/lib/tosspayments2/rails/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Tosspayments2
+  module Rails
+    VERSION = '0.2.0'
+  end
+end

data/lib/tosspayments2/rails/webhook_verifier.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'openssl'
+require 'base64'
+
+module Tosspayments2
+  module Rails
+    # Verifies incoming webhook using HMAC-SHA256 signature (Base64 encoded).
+    # Assumes TossPayments sends header 'X-TossPayments-Signature'.
+    class WebhookVerifier
+      HEADER_NAME = 'X-TossPayments-Signature'
+
+      def initialize(secret_key: nil)
+        @secret_key = secret_key || ::Tosspayments2::Rails.configuration.secret_key
+        return if @secret_key
+
+        raise ::Tosspayments2::Rails::ConfigurationError,
+              'secret_key required for webhook verification'
+      end
+
+      # @param body [String] raw request body
+      # @param signature [String,nil] header signature value (Base64)
+      # @return [Boolean]
+      def verify?(body, signature)
+        return false unless body && signature
+
+        expected = compute_signature(body)
+        secure_compare?(signature, expected)
+      end
+
+      # Compute signature for a given body
+      def compute_signature(body)
+        digest = OpenSSL::HMAC.digest('sha256', @secret_key, body)
+        Base64.strict_encode64(digest)
+      end
+
+      private
+
+      # Constant-time compare
+      def secure_compare?(given_sig, expected_sig)
+        return false unless given_sig.bytesize == expected_sig.bytesize
+
+        l = given_sig.unpack('C*')
+        res = 0
+        expected_sig.each_byte { |byte| res |= byte ^ l.shift }
+        res.zero?
+      end
+    end
+  end
+end

data/lib/tosspayments2/rails.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+require_relative 'rails/version'
+require_relative 'rails/configuration'
+require_relative 'rails/errors'
+require_relative 'rails/client'
+require_relative 'rails/script_tag_helper'
+require_relative 'rails/controller_concern'
+require_relative 'rails/webhook_verifier'
+require_relative 'rails/callback_verifier'
+require_relative 'rails/engine' if defined?(Rails)
+
+module Tosspayments2
+  module Rails
+    class Error < StandardError; end
+
+    def self.configure(&block)
+      configuration = ::Tosspayments2::Rails.configuration
+      yield(configuration) if block
+      configuration
+    end
+  end
+end

data/sig/tosspayments2/rails.rbs

@@ -0,0 +1,53 @@
+module Tosspayments2
+  module Rails
+    VERSION: String
+    module ScriptTagHelper
+      def tosspayments_script_tag: (?async: bool, ?defer: bool, ?version: String) -> String
+    end
+
+    class Configuration
+      @client_key: String?
+      @secret_key: String?
+      @widget_version: String
+      @api_base: String
+      @timeout: Integer
+      @logger: untyped
+
+      attr_accessor client_key: String?
+      attr_accessor secret_key: String?
+      attr_accessor widget_version: String
+      attr_accessor api_base: String
+      attr_accessor timeout: Integer
+      attr_accessor logger: untyped
+    end
+
+    class Client
+      def initialize: (?secret_key: String, ?api_base: String, ?timeout: Integer) -> void
+      def confirm: (payment_key: String, order_id: String, amount: Integer) -> Hash[Symbol, untyped]
+      def cancel: (payment_key: String, cancel_reason: String, ?amount: Integer) -> Hash[Symbol, untyped]
+    end
+    class CallbackVerifier
+  def match_amount?: (order_id: String, amount: Integer) { (String) -> Integer } -> bool
+    end
+    class APIError < StandardError
+      @status: Integer
+      @body: Hash[Symbol, untyped]?
+      @code: String?
+      attr_reader status: Integer
+      attr_reader body: Hash[Symbol, untyped]?
+      attr_reader code: String?
+    end
+    class VerificationError < StandardError; end
+    class ConfigurationError < StandardError; end
+
+    module ControllerConcern
+    end
+
+    class WebhookVerifier
+      def initialize: (?secret_key: String) -> void
+  def verify?: (untyped, untyped) -> bool
+    end
+
+    def self.configure: () { (Configuration) -> void } -> Configuration
+  end
+end