truelayer-signing 0.1.2 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8cc4b5beb4b79ccfafd7350d4882927d45abea2580d4d4d869d39faae157498d
-  data.tar.gz: ab43241ee2475b2797ff43fc5c142b778ff4e4ef28d042a123b9ac8179d913aa
+  metadata.gz: 751c6c37cee7adedf204491894146d577e70b310d9cd50504c01c29836743271
+  data.tar.gz: d2b7de41a966d0e114dd368320f35578714a674da1d76121d500944f0c33596b
 SHA512:
-  metadata.gz: 6e208e6b3ed16190946cdeceae856ebcddc42b472458b86c527e0dfe52a67fe0d33e954c018f63fcb8502b659081aa35522516f9dacfb12f492b36a7830fe6b6
-  data.tar.gz: 3282b084e0907c8c709dfa2f3d2bef71527bca7181c342a24de63262c70ffa3a9e41f4437eb77f667a1e9c6a45776b8db6549ce709b244128b5fb58006b4afea
+  metadata.gz: 88a7bc727e82df06eccb1992036730e49f6de45a6d38d6df7d2cf8d749441a8d1f5be031e59410e45778da20d84fac03bb07f7bf11103387893baebd4d86af2b
+  data.tar.gz: 249a44e6a94171f89f69f1e53aff377bee6ac6de33a3f2383a6c7f4ed94b517e216cd81da450caf1f363f21e1a8f60edcb6dfc71481af0c7fc70336d028ea0de

data/CHANGELOG.md

@@ -9,6 +9,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - ...
 
+## [0.2.1] – 2023-07-14
+
+- Disable expiration verification
+- Add missing header discovery
+
+## [0.2.0] – 2023-06-13
+
+- Add support for signature verification using a JWKS: `TrueLayerSigning.verify_with_jwks(jwks)`
+    and `TrueLayerSigning.extract_jws_header(signature)`.
+
 ## [0.1.2] – 2023-05-19
 
 - Fix conflict with JWT library

data/README.md

@@ -59,10 +59,20 @@ See full example of [request signing].
 
 ## Verifying webhooks
 
-The `verify_with_pem` method may be used to verify webhook `Tl-Signature` header signatures.
+The `verify_with_jwks` method may be used to verify webhook `Tl-Signature` header signatures.
 
 ```ruby
-TrueLayerSigning.verify_with_pem(pem)
+# The `jku` field is included in webhook signatures
+jku = TrueLayerSigning.extract_jws_header(webhook_signature).jku
+
+# You should check that the `jku` is a valid TrueLayer URL (not provided by this library)
+ensure_jku_allowed(jku)
+
+# Then fetch JSON Web Key Set from the public URL (not provided by this library)
+jwks = fetch_jwks(jku)
+
+# The raw JWKS value may be used directly to verify a signature
+TrueLayerSigning.verify_with_jwks(jwks)
   .set_method(method)
   .set_path(path)
   .set_headers(headers)

data/examples/webhook-server/Gemfile

@@ -1,4 +1,5 @@
 source "https://rubygems.org"
 
+gem "http"
 gem "truelayer-signing"
 gem "webrick"

data/examples/webhook-server/Gemfile.lock

@@ -1,15 +1,40 @@
 GEM
   remote: https://rubygems.org/
   specs:
-    jwt (2.6.0)
-    truelayer-signing (0.1.1)
-      jwt (= 2.6)
+    addressable (2.8.4)
+      public_suffix (>= 2.0.2, < 6.0)
+    domain_name (0.5.20190701)
+      unf (>= 0.0.5, < 1.0.0)
+    ffi (1.15.5)
+    ffi-compiler (1.0.1)
+      ffi (>= 1.0.0)
+      rake
+    http (5.1.1)
+      addressable (~> 2.8)
+      http-cookie (~> 1.0)
+      http-form_data (~> 2.2)
+      llhttp-ffi (~> 0.4.0)
+    http-cookie (1.0.5)
+      domain_name (~> 0.5)
+    http-form_data (2.3.0)
+    jwt (2.7.0)
+    llhttp-ffi (0.4.0)
+      ffi-compiler (~> 1.0)
+      rake (~> 13.0)
+    public_suffix (5.0.1)
+    rake (13.0.6)
+    truelayer-signing (0.2.0)
+      jwt (~> 2.7)
+    unf (0.1.4)
+      unf_ext
+    unf_ext (0.0.8.2)
     webrick (1.8.1)
 
 PLATFORMS
   arm64-darwin-21
 
 DEPENDENCIES
+  http
   truelayer-signing
   webrick
 

data/examples/webhook-server/main.rb

@@ -1,23 +1,14 @@
-require 'securerandom'
-require 'truelayer-signing'
-require 'webrick'
+require "http"
+require "truelayer-signing"
+require "webrick"
 
 class TrueLayerSigningExamples
   # Note: the webhook path can be whatever is configured for your application.
   # Here a unique path is used, matching the example signature in the README.
   WEBHOOK_PATH = "/hook/d7a2c49d-110a-4ed2-a07d-8fdb3ea6424b".freeze
-  PUBLIC_KEY_PEM = <<~TXT.freeze
-    -----BEGIN PUBLIC KEY-----
-    MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBJ6ET9XeVCyMy+yOetZaNNCXPhwr5
-    BlyDDg1CLmyNM5SvqOs8RveL6dYl4lpPur4xrPQl04ggYlVd9wnHkZnp3jcBlXw8
-    Lc5phyYF1q2/QV/5wp2WHIhKDqUiXC0TvlE8d7MdTAN9yolcwrh6aWZ3kesTMZif
-    BgItyT6PXUab8mMdI8k=
-    -----END PUBLIC KEY-----
-  TXT
 
   class << self
     def run_webhook_server
-      TrueLayerSigning.certificate_id ||= SecureRandom.uuid
       server = WEBrick::HTTPServer.new(Port: 4567)
 
       puts "Server running at http://localhost:4567"
@@ -61,9 +52,19 @@ class TrueLayerSigningExamples
 
       return ["400", "Bad Request – Header `Tl-Signature` missing"] unless tl_signature
 
+      jku = TrueLayerSigning.extract_jws_header(tl_signature).jku
+
+      return ["400", "Bad Request – Signature missing `jku`"] unless jku
+      return ["401", "Unauthorized – Unpermitted `jku`"] \
+        unless jku == "https://webhooks.truelayer.com/.well-known/jwks" ||
+          jku == "https://webhooks.truelayer-sandbox.com/.well-known/jwks"
+
+      jwks = HTTP.get(jku)
+
+      return ["401", "Unauthorized – Unavailable `jwks` resource"] unless jwks.status.success?
+
       begin
-        TrueLayerSigning
-          .verify_with_pem(PUBLIC_KEY_PEM)
+        TrueLayerSigning.verify_with_jwks(jwks.to_s)
           .set_method(:post)
           .set_path(path)
           .set_headers(headers)

data/lib/truelayer-signing/jwt.rb

@@ -29,7 +29,7 @@ module JWT
     ).segments
   end
 
-  def truelayer_decode(jwt, key, verify, options, &keyfinder)
+  def truelayer_decode(jwt, key, verify = true, options, &keyfinder)
     TrueLayerDecode.new(
       jwt,
       key,

data/lib/truelayer-signing/signer.rb

@@ -7,7 +7,9 @@ module TrueLayerSigning
 
       private_key = OpenSSL::PKey.read(TrueLayerSigning.private_key)
       jws_header_args = { tl_headers: headers }
+
       jws_header_args[:jku] = jws_jku if jws_jku
+
       jws_header = TrueLayerSigning::JwsHeader.new(jws_header_args).to_h
       jwt = JWT.truelayer_encode(build_signing_payload, private_key, TrueLayerSigning.algorithm,
         jws_header)
@@ -18,6 +20,7 @@ module TrueLayerSigning
 
     def set_jku(jku)
       @jws_jku = jku
+
       self
     end
 

data/lib/truelayer-signing/utils.rb

@@ -16,18 +16,20 @@ module TrueLayerSigning
 
     def to_h
       hash = instance_variables.map { |var| [var[1..-1].to_sym, instance_variable_get(var)] }.to_h
+
       hash.reject { |key, _value| hash[key].nil? }
     end
 
     def filter_headers(headers)
       required_header_keys = tl_headers.split(",").reject { |key| key.empty? }
       normalised_headers = {}
+
       headers.to_a.each { |header| normalised_headers[header.first.downcase] = header.last }
 
       ordered_headers = required_header_keys.map do |key|
         value = normalised_headers[key.downcase]
 
-        raise(Error, "Missing header(s) declared in signature") unless value
+        raise(Error, "Missing header declared in signature: #{key.downcase}") unless value
 
         [key, value]
       end
@@ -50,6 +52,7 @@ module TrueLayerSigning
 
     def set_method(method)
       @method = method.to_s.upcase
+
       self
     end
 
@@ -57,21 +60,25 @@ module TrueLayerSigning
       raise(Error, "Path must start with '/'") unless path.start_with?("/")
 
       @path = path
+
       self
     end
 
     def add_header(name, value)
       @headers[name.to_s] = value
+
       self
     end
 
     def set_headers(headers)
       headers.each { |name, value| @headers[name.to_s] = value }
+
       self
     end
 
     def set_body(body)
       @body = body
+
       self
     end
 

data/lib/truelayer-signing/verifier.rb

@@ -1,9 +1,13 @@
 module TrueLayerSigning
   class Verifier < JwsBase
-    attr_reader :required_headers, :key_value
+    EXPECTED_EC_KEY_COORDS_LENGTH = 66.freeze
+
+    attr_reader :required_headers, :key_type, :key_value
 
     def initialize(args)
       super
+
+      @key_type = args[:key_type]
       @key_value = args[:key_value]
     end
 
@@ -11,45 +15,30 @@ module TrueLayerSigning
       ensure_verifier_config!
 
       jws_header, jws_header_b64, signature_b64 = self.class.parse_tl_signature(tl_signature)
-      public_key = OpenSSL::PKey.read(key_value)
 
       raise(Error, "Unexpected `alg` header value") if jws_header.alg != TrueLayerSigning.algorithm
 
       ordered_headers = jws_header.filter_headers(headers)
       normalised_headers = {}
+
       ordered_headers.to_a.each { |header| normalised_headers[header.first.downcase] = header.last }
 
       raise(Error, "Signature missing required header(s)") if required_headers &&
         required_headers.any? { |key| !normalised_headers.has_key?(key.downcase) }
 
-      payload_b64 = Base64.urlsafe_encode64(build_signing_payload(ordered_headers), padding: false)
-      full_signature = [jws_header_b64, payload_b64, signature_b64].join(".")
-      jwt_options = { algorithm: TrueLayerSigning.algorithm }
-
-      begin
-        JWT.truelayer_decode(full_signature, public_key, true, jwt_options)
-      rescue JWT::VerificationError
-        @path = path.end_with?("/") && path[0...-1] || path + "/"
-        payload_b64 = Base64.urlsafe_encode64(build_signing_payload(ordered_headers),
-                                              padding: false)
-        full_signature = [jws_header_b64, payload_b64, signature_b64].join(".")
-
-        begin
-          JWT.truelayer_decode(full_signature, public_key, true, jwt_options)
-        rescue
-          raise(Error, "Signature verification failed")
-        end
-      end
+      verify_signature_flex(ordered_headers, jws_header, jws_header_b64, signature_b64)
     end
 
     def require_header(name)
       @required_headers ||= []
       @required_headers.push(name)
+
       self
     end
 
     def require_headers(names)
       @required_headers = names
+
       self
     end
 
@@ -69,6 +58,77 @@ module TrueLayerSigning
       [jws_header, jws_header_b64, signature_b64]
     end
 
+    private def verify_signature_flex(ordered_headers, jws_header, jws_header_b64, signature_b64)
+      full_signature = build_full_signature(ordered_headers, jws_header_b64, signature_b64)
+
+      begin
+        verify_signature(jws_header, full_signature)
+      rescue JWT::VerificationError
+        @path = path.end_with?("/") && path[0...-1] || path + "/"
+        full_signature = build_full_signature(ordered_headers, jws_header_b64, signature_b64)
+
+        begin
+          verify_signature(jws_header, full_signature)
+        rescue JWT::VerificationError
+          raise(Error, "Signature verification failed")
+        end
+      end
+    end
+
+    private def build_full_signature(ordered_headers, jws_header_b64, signature_b64)
+      payload_b64 = Base64.urlsafe_encode64(build_signing_payload(ordered_headers), padding: false)
+
+      [jws_header_b64, payload_b64, signature_b64].join(".")
+    end
+
+    private def verify_signature(jws_header, full_signature)
+      case key_type
+      when :pem
+        public_key = OpenSSL::PKey.read(key_value)
+      when :jwks
+        public_key = retrieve_public_key(:jwks, key_value, jws_header)
+      end
+
+      jwt_options = {
+        algorithm: TrueLayerSigning.algorithm,
+        verify_expiration: false,
+        verify_not_before: false
+      }
+
+      JWT.truelayer_decode(full_signature, public_key, jwt_options)
+    end
+
+    private def retrieve_public_key(key_type, key_value, jws_header)
+      case key_type
+      when :pem
+        OpenSSL::PKey.read(key_value)
+      when :jwks
+        jwks_hash = JSON.parse(key_value, symbolize_names: true)
+        jwk = jwks_hash[:keys].find { |key| key[:kid] == jws_header.kid }
+
+        raise(Error, "JWKS does not include given `kid` value") unless jwk
+
+        valid_jwk = apply_zero_padding_as_needed(jwk)
+
+        JWT::JWK::EC.import(valid_jwk).public_key
+      else
+        raise(Error, "Type of public key not recognised")
+      end
+    end
+
+    private def apply_zero_padding_as_needed(jwk)
+      valid_jwk = jwk.clone
+
+      %i(x y).each do |elem|
+        coords = Base64.urlsafe_decode64(valid_jwk[elem])
+        diff = EXPECTED_EC_KEY_COORDS_LENGTH - coords.length
+
+        valid_jwk[elem] = Base64.urlsafe_encode64(("\x00" * diff) + coords) if diff > 0
+      end
+
+      valid_jwk
+    end
+
     private def ensure_verifier_config!
       raise(Error, "Key value missing") unless key_value
     end

data/lib/truelayer-signing.rb

@@ -28,8 +28,16 @@ module TrueLayerSigning
       Signer.new
     end
 
+    def extract_jws_header(signature)
+      Verifier.parse_tl_signature(signature).first
+    end
+
+    def verify_with_jwks(jwks)
+      Verifier.new(key_type: :jwks, key_value: jwks)
+    end
+
     def verify_with_pem(pem)
-      Verifier.new(key_value: pem)
+      Verifier.new(key_type: :pem, key_value: pem)
     end
   end
 end

data/test/resources/failed-payment-expired-test-payload.json

@@ -0,0 +1,12 @@
+{
+  "type": "payment_failed",
+  "event_version": 1,
+  "event_id": "6f00897f-f8c8-4ffb-93a3-cfbd311396e2",
+  "payment_id": "2c4db314-b509-4d68-b883-a34ca5fa7b72",
+  "payment_method": {
+    "type": "bank_transfer"
+  },
+  "failed_at": "2023-07-11T17:42:24.123Z",
+  "failure_stage": "authorization_required",
+  "failure_reason": "expired"
+}

data/test/resources/missing-zero-padding-test-jwks.json

@@ -0,0 +1,19 @@
+{
+  "keys": [
+    {
+      "kty": "RSA",
+      "alg": "RS512",
+      "kid": "c9034c0f-bd06-4dd1-98fe-f67a5a1a0601",
+      "n": "yWTtfMrBLrVaMgUO2Oz83kMHbJX0aCSwkQ4gZoXruicEBfhWKSC4VV6WB3CZIBGfxGhJhSBFkFizdZzjSTQYIB-OIQcFR2FtP5tSSpK2K7d4-CvBs78_rOFyA4Vz4aoYLlJOWmFurMod27BmQe1UrDRm0SWJbE9L8TqtQYKDva0sWeQPuxj2Stv4BBf7Z5Zq8NyCAiW-TMmhV7silLT8eN7MLp6X_-BFoHgZSL26ECd5KkQxVE8kl9Cl-GelmcbT8CIM4LQ8vTSYB6ADHcAte24xtP3IUv5_K-gFaNucbC1i95X0Ha2UNx13uFfaBVOngwFyAnU7eFlZh_MJS_kCXw",
+      "e": "AQAB"
+    },
+    {
+      "kty": "EC",
+      "alg": "ES512",
+      "kid": "d3534b83-bdc7-4066-adb5-c8d4bf616601",
+      "crv": "P-521",
+      "x": "AQO9n3CGUtsvQEWivE7KTkbaqY-xxsa0EPhplLxj0Nak6dS400ug0VhMqgTXfyc3nV3UA7Mz7x5dDL13YyUtfiOq",
+      "y": "fRU9nhcoS3FUZD7UzBUt9AOOpShMlV8yXC3VXn0FTRB7ySDqZnr1th0ZYnt0uihMDKYKB0-TrptWg1hgA75aeiI"
+    }
+  ]
+}

data/test/resources/missing-zero-padding-test-payload.json

@@ -0,0 +1,22 @@
+{
+  "type": "payment_executed",
+  "event_version": 1,
+  "event_id": "2606ed6d-5c89-4bd9-8f95-40e42c95ca71",
+  "payment_id": "a62ba556-4b35-4628-9d8c-42302d2e5d02",
+  "payment_method": {
+    "type": "bank_transfer",
+    "provider_id": "mock-payments-gb-redirect",
+    "scheme_id": "faster_payments_service"
+  },
+  "executed_at": "2023-06-09T15:40:30.561Z",
+  "payment_source": {
+    "account_identifiers": [
+      {
+        "type": "sort_code_account_number",
+        "sort_code": "040668",
+        "account_number": "00000871"
+      }
+    ],
+    "account_holder_name": "JOHN SANDBRIDGE"
+  }
+}

data/test/resources/missing-zero-padding-test-signature.txt

@@ -0,0 +1 @@
+eyJhbGciOiJFUzUxMiIsImtpZCI6ImQzNTM0YjgzLWJkYzctNDA2Ni1hZGI1LWM4ZDRiZjYxNjYwMSIsInRsX3ZlcnNpb24iOiIyIiwidGxfaGVhZGVycyI6IngtdGwtd2ViaG9vay10aW1lc3RhbXAiLCJqa3UiOiJodHRwczovL3dlYmhvb2tzLnRydWVsYXllci1zYW5kYm94LmNvbS8ud2VsbC1rbm93bi9qd2tzIn0..AVKH1WQK4Z4tIF3I-gU1AkLI7o4Dk-ZpALG7rKuMPQdksVwzUVBa8zq3LdvV2SHNzlH50NhGVYi-j4nC8G23Qd5UAW8DCvMB1ynTBVE_3vKzbmbfh8Dg3TAPvZCdajQiDLrLJp5iiUtcRgML2EI_zt9SEAkpIaSxFU8DHnMm8CN3YEQT

data/test/test-truelayer-signing.rb

@@ -1,11 +1,13 @@
 require "minitest/autorun"
 require "truelayer-signing"
 
+def read_file(path)
+  File.read(File.expand_path(path, File.dirname(__FILE__)))
+end
+
 CERTIFICATE_ID = "45fc75cf-5649-4134-84b3-192c2c78e990".freeze
-PRIVATE_KEY = File.read(File.expand_path("../../test-resources/ec512-private.pem",
-                                         File.dirname(__FILE__))).freeze
-PUBLIC_KEY = File.read(File.expand_path("../../test-resources/ec512-public.pem",
-                                        File.dirname(__FILE__))).freeze
+PRIVATE_KEY = read_file("../../test-resources/ec512-private.pem").freeze
+PUBLIC_KEY = read_file("../../test-resources/ec512-public.pem").freeze
 
 TrueLayerSigning.certificate_id = CERTIFICATE_ID.freeze
 TrueLayerSigning.private_key = PRIVATE_KEY.freeze
@@ -59,6 +61,24 @@ class TrueLayerSigningTest < Minitest::Test
     refute(result.first.include?("\nIdempotency-Key: "))
   end
 
+  def test_full_request_signature_without_method_should_default_to_post_and_succeed
+    body = { currency: "GBP", max_amount_in_minor: 50_000_00 }.to_json
+    path = "/merchant_accounts/a61acaef-ee05-4077-92f3-25543a11bd8d/sweeping"
+
+    tl_signature = TrueLayerSigning.sign_with_pem
+      .set_path(path)
+      .set_body(body)
+      .sign
+
+    result = TrueLayerSigning.verify_with_pem(PUBLIC_KEY)
+      .set_path(path)
+      .set_body(body)
+      .verify(tl_signature)
+
+    assert(result.first
+      .start_with?("POST /merchant_accounts/a61acaef-ee05-4077-92f3-25543a11bd8d/sweeping\n"))
+  end
+
   def test_mismatched_signature_with_attached_valid_body_should_fail
     # Signature for `/bar` but with a valid jws-body pre-attached.
     # If we run a simple jws verify on this unchanged, it'll work!
@@ -101,8 +121,7 @@ class TrueLayerSigningTest < Minitest::Test
     body = { currency: "GBP", max_amount_in_minor: 50_000_00, name: "Foo???" }.to_json
     idempotency_key = "idemp-2076717c-9005-4811-a321-9e0787fa0382"
     path = "/merchant_accounts/a61acaef-ee05-4077-92f3-25543a11bd8d/sweeping"
-    tl_signature = File.read(File.expand_path("../../test-resources/tl-signature.txt",
-                                              File.dirname(__FILE__)))
+    tl_signature = read_file("../../test-resources/tl-signature.txt")
 
     result = TrueLayerSigning.verify_with_pem(PUBLIC_KEY)
       .set_method(:post)
@@ -295,7 +314,7 @@ class TrueLayerSigningTest < Minitest::Test
       .set_body(body)
 
     error = assert_raises(TrueLayerSigning::Error) { verifier.verify(tl_signature) }
-    assert_equal("Missing header(s) declared in signature", error.message)
+    assert_equal("Missing header declared in signature: idempotency-key", error.message)
   end
 
   def test_full_request_signature_missing_required_header_should_fail
@@ -370,6 +389,121 @@ class TrueLayerSigningTest < Minitest::Test
       .start_with?("POST /merchant_accounts/a61acaef-ee05-4077-92f3-25543a11bd8d/sweeping\n"))
   end
 
+  def test_extract_jws_header_should_succeed
+    hook_signature = read_file("../../test-resources/webhook-signature.txt")
+    jws_header = TrueLayerSigning.extract_jws_header(hook_signature)
+
+    assert_equal("ES512", jws_header.alg)
+    assert_equal(CERTIFICATE_ID, jws_header.kid)
+    assert_equal("2", jws_header.tl_version)
+    assert_equal("X-Tl-Webhook-Timestamp,Content-Type", jws_header.tl_headers)
+    assert_equal("https://webhooks.truelayer.com/.well-known/jwks", jws_header.jku)
+  end
+
+  def test_verify_with_jwks_should_succeed
+    hook_signature = read_file("../../test-resources/webhook-signature.txt")
+    jwks = read_file("../../test-resources/jwks.json")
+    body = { event_type: "example", event_id: "18b2842b-a57b-4887-a0a6-d3c7c36f1020" }.to_json
+
+    TrueLayerSigning.verify_with_jwks(jwks)
+      .set_method(:post)
+      .set_path("/tl-webhook")
+      .add_header("x-tl-webhook-timestamp", "2021-11-29T11:42:55Z")
+      .add_header("content-type", "application/json")
+      .set_body(body)
+      .verify(hook_signature)
+  end
+
+  def test_verify_with_jwks_with_zero_padding_missing_should_succeed
+    jwks = read_file("resources/missing-zero-padding-test-jwks.json")
+
+    # JWKS with EC key missing zero padded coords is not supported by `jwt` gem
+
+    jwks_as_json = JSON.parse(jwks, symbolize_names: true)
+    jwk_missing_padding = jwks_as_json[:keys].find { |e| e[:kty] == "EC" }
+    imported_jwk = JWT::JWK::EC.import(jwk_missing_padding)
+
+    error = assert_raises(OpenSSL::PKey::EC::Point::Error) { imported_jwk.public_key.check_key }
+    assert_equal("EC_POINT_bn2point: invalid encoding", error.message)
+
+    # But supported by `truelayer-signing` using zero padding (prepend)
+
+    payload = read_file("resources/missing-zero-padding-test-payload.json")
+    body = JSON.parse(payload).to_json
+
+    TrueLayerSigning.verify_with_jwks(jwks)
+      .set_method(:post)
+      .set_path("/a147f26a-f07e-47e3-9526-d52f1f1fdd55")
+      .add_header("x-tl-webhook-timestamp", "2023-06-09T15:40:30Z")
+      .set_body(body)
+      .verify(read_file("resources/missing-zero-padding-test-signature.txt"))
+  end
+
+  def test_verify_with_jwks_with_wrong_timestamp_should_fail
+    hook_signature = read_file("../../test-resources/webhook-signature.txt")
+    jwks = read_file("../../test-resources/jwks.json")
+    body = { event_type: "example", event_id: "18b2842b-a57b-4887-a0a6-d3c7c36f1020" }.to_json
+
+    verifier = TrueLayerSigning.verify_with_jwks(jwks)
+      .set_method(:post)
+      .set_path("/tl-webhook")
+      .add_header("x-tl-webhook-timestamp", "2021-12-29T11:42:55Z")
+      .add_header("content-type", "application/json")
+      .set_body(body)
+
+    error = assert_raises(TrueLayerSigning::Error) { verifier.verify(hook_signature) }
+    assert_equal("Signature verification failed", error.message)
+  end
+
+  # This test reproduces an issue we had with an edge case
+  def test_verify_with_failed_payment_expired_webhook_should_succeed
+    path = "/tl-webhook"
+    payload = read_file("resources/failed-payment-expired-test-payload.json")
+    body = JSON.parse(payload).to_json
+
+    tl_signature = TrueLayerSigning.sign_with_pem
+      .set_method(:post)
+      .set_path(path)
+      .set_body(body)
+      .sign
+
+    result = TrueLayerSigning.verify_with_pem(PUBLIC_KEY)
+      .set_method(:post)
+      .set_path(path)
+      .set_body(body)
+      .verify(tl_signature)
+
+    assert(result.first.start_with?("POST /tl-webhook\n"))
+    assert(result.first.include?("\"failure_reason\":\"expired\""))
+  end
+
+  def test_sign_with_pem_and_custom_jku_should_succeed
+    body = { currency: "GBP", max_amount_in_minor: 50_000_00 }.to_json
+    idempotency_key = "idemp-2076717c-9005-4811-a321-9e0787fa0382"
+    path = "/merchant_accounts/a61acaef-ee05-4077-92f3-25543a11bd8d/sweeping"
+
+    tl_signature_1 = TrueLayerSigning.sign_with_pem
+      .set_path(path)
+      .add_header("Idempotency-Key", idempotency_key)
+      .set_body(body)
+      .sign
+
+    jws_header_1 = TrueLayerSigning.extract_jws_header(tl_signature_1)
+
+    assert_nil(jws_header_1.jku)
+
+    tl_signature_2 = TrueLayerSigning.sign_with_pem
+      .set_path(path)
+      .add_header("Idempotency-Key", idempotency_key)
+      .set_body(body)
+      .set_jku("https://webhooks.truelayer.com/.well-known/jwks")
+      .sign
+
+    jws_header_2 = TrueLayerSigning.extract_jws_header(tl_signature_2)
+
+    assert_equal("https://webhooks.truelayer.com/.well-known/jwks", jws_header_2.jku)
+  end
+
   # TODO: remove if/when we get rid of `lib/truelayer-signing/jwt.rb`
   def test_jwt_encode_and_decode_should_succeed
     payload_object = { currency: "GBP", max_amount_in_minor: 50_000_00 }

data/truelayer-signing.gemspec

@@ -2,7 +2,7 @@ $LOAD_PATH.unshift(::File.join(::File.dirname(__FILE__), "lib"))
 
 Gem::Specification.new do |s|
   s.name = "truelayer-signing"
-  s.version = "0.1.2"
+  s.version = "0.2.1"
   s.summary = "Ruby gem to produce and verify TrueLayer API requests signatures"
   s.description = "TrueLayer provides instant access to open banking to " \
     "easily integrate next-generation payments and financial data into any app." \
@@ -21,5 +21,5 @@ Gem::Specification.new do |s|
   s.require_paths = ["lib"]
 
   s.required_ruby_version = ">= 2.7"
-  s.add_runtime_dependency("jwt",  "2.6")
+  s.add_runtime_dependency("jwt",  "~> 2.7")
 end