truelayer-signing 0.2.0 → 0.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7675d871fb8de41624e5f92fb6b0252fac90900f2f52c6bd9b182ea0f80cde44
-  data.tar.gz: 2345bf7cfc1619ef8c5e1bb20ed56f966ec9a71263798bde713aca0ba92b0811
+  metadata.gz: fd87086c0bf22e70c924a9b3cc97e600070d0c8840b07edc56cff847177231a8
+  data.tar.gz: 86633894d1b455bc43e2bbc41d175deb47b5288411355d0bc5a96768625acb13
 SHA512:
-  metadata.gz: df411a9c02a97ab165f5a47063ec0ca3fae67fe437f96af20b1f71eab4f88105bd8259a3c9685056c91210c3dca0134721f5c3b94e9cc39691756f6b64c17279
-  data.tar.gz: a39b865f5c4a1a3226cc8071f3c5971ff8c32c536d4b7b88ddab8cf7ffcc71fa2e36c3d3409b5fa7f3d25647f8ea8fb202ef6f74ac51661e85c2b089f6a4e2c4
+  metadata.gz: d2698bda8922e5daec55f4e5f25721f0f498a8e0485aff3e7852b1c0a2bf39363ca5b37674f294513ac752521325aa6eaefb924fc45bf42ea44fe948061aefc7
+  data.tar.gz: 5494b6be736e4d17dab4bb32f5d2c53edb331a4fa5dc67c17f1eb6845ec547aec6bb9f8e10529cf349a674b1a3be985d2af9ef8837620b50a8401fc7e0f60d3a

data/CHANGELOG.md

@@ -9,6 +9,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - ...
 
+## [0.2.2] – 2023-12-06
+
+- Add code linter
+
+## [0.2.1] – 2023-07-14
+
+- Disable expiration verification
+- Add missing header discovery
+
 ## [0.2.0] – 2023-06-13
 
 - Add support for signature verification using a JWKS: `TrueLayerSigning.verify_with_jwks(jwks)`

data/Gemfile

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gem "rubocop", "~> 1.57", require: false

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "rake/testtask"
 
 Rake::TestTask.new do |t|

data/lib/truelayer-signing/config.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module TrueLayerSigning
   class Config
     attr_accessor :certificate_id, :private_key
@@ -12,10 +14,10 @@ module TrueLayerSigning
 
     # @return [TrueLayerSigning::Config]
     def initialize
-      @algorithm = "ES512".freeze
-      @certificate_id = ENV.fetch("TRUELAYER_SIGNING_CERTIFICATE_ID", nil).freeze
-      @private_key = ENV.fetch("TRUELAYER_SIGNING_PRIVATE_KEY", nil)&.gsub(/\\n/, "\n").freeze
-      @version = "2".freeze
+      @algorithm = "ES512"
+      @certificate_id = ENV.fetch("TRUELAYER_SIGNING_CERTIFICATE_ID", nil)
+      @private_key = ENV.fetch("TRUELAYER_SIGNING_PRIVATE_KEY", nil)&.gsub("\\n", "\n")
+      @version = "2"
     end
   end
 end

data/lib/truelayer-signing/errors.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module TrueLayerSigning
   class Error < StandardError; end
 end

data/lib/truelayer-signing/jwt.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # TODO: this is a custom patch of payload-related methods, from the 'jwt' gem.
 # It prevents the payload from being systematically converted to and from JSON.
 # To be changed in the 'jwt' gem directly, or hard-coded in this library.
@@ -5,18 +7,22 @@ module JWT
   module_function
 
   class TrueLayerEncode < Encode
+    private
+
     # See https://github.com/jwt/ruby-jwt/blob/main/lib/jwt/encode.rb#L53-L55
-    private def encode_payload
+    def encode_payload
       ::JWT::Base64.url_encode(@payload)
     end
   end
 
   class TrueLayerDecode < Decode
+    private
+
     # See https://github.com/jwt/ruby-jwt/blob/main/lib/jwt/decode.rb#L154-L156
-    private def payload
+    def payload
       @payload ||= ::JWT::Base64.url_decode(@segments[1])
     rescue ::JSON::ParserError
-      raise JWT::DecodeError, 'Invalid segment encoding'
+      raise JWT::DecodeError, "Invalid segment encoding"
     end
   end
 
@@ -29,7 +35,8 @@ module JWT
     ).segments
   end
 
-  def truelayer_decode(jwt, key, verify, options, &keyfinder)
+  # rubocop:disable Style/OptionalArguments, Style/OptionalBooleanParameter
+  def truelayer_decode(jwt, key, verify = true, options, &keyfinder)
     TrueLayerDecode.new(
       jwt,
       key,
@@ -38,4 +45,5 @@ module JWT
       &keyfinder
     ).decode_segments
   end
+  # rubocop:enable Style/OptionalArguments, Style/OptionalBooleanParameter
 end

data/lib/truelayer-signing/signer.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module TrueLayerSigning
   class Signer < JwsBase
     attr_reader :jws_jku
@@ -6,11 +8,13 @@ module TrueLayerSigning
       ensure_signer_config!
 
       private_key = OpenSSL::PKey.read(TrueLayerSigning.private_key)
-      jws_header_args = { tl_headers: headers }
-      jws_header_args[:jku] = jws_jku if jws_jku
-      jws_header = TrueLayerSigning::JwsHeader.new(jws_header_args).to_h
-      jwt = JWT.truelayer_encode(build_signing_payload, private_key, TrueLayerSigning.algorithm,
-        jws_header)
+      jws_header = generate_jws_header!
+      jwt = JWT.truelayer_encode(
+        build_signing_payload,
+        private_key,
+        TrueLayerSigning.algorithm,
+        jws_header
+      )
       header, _, signature = jwt.split(".")
 
       "#{header}..#{signature}"
@@ -18,16 +22,24 @@ module TrueLayerSigning
 
     def set_jku(jku)
       @jws_jku = jku
+
       self
     end
 
-    private def ensure_signer_config!
+    private
+
+    def generate_jws_header!
+      jws_header_args = { tl_headers: headers }
+      jws_header_args[:jku] = jws_jku if jws_jku
+
+      TrueLayerSigning::JwsHeader.new(jws_header_args).to_h
+    end
+
+    def ensure_signer_config!
       raise(Error, "TRUELAYER_SIGNING_CERTIFICATE_ID missing") \
-        if TrueLayerSigning.certificate_id.nil? ||
-          TrueLayerSigning.certificate_id.empty?
+        if TrueLayerSigning.certificate_id.nil? || TrueLayerSigning.certificate_id.empty?
       raise(Error, "TRUELAYER_SIGNING_PRIVATE_KEY missing") \
-        if TrueLayerSigning.private_key.nil? ||
-          TrueLayerSigning.private_key.empty?
+        if TrueLayerSigning.private_key.nil? || TrueLayerSigning.private_key.empty?
       raise(Error, "Request path missing") unless path
       raise(Error, "Request body missing") unless body
     end

data/lib/truelayer-signing/utils.rb

@@ -1,11 +1,22 @@
+# frozen_string_literal: true
+
 module TrueLayerSigning
+  class Utils
+    def self.normalise_headers!(headers)
+      normalised_headers = {}
+
+      headers.to_a.each { |header| normalised_headers[header.first.downcase] = header.last }
+
+      normalised_headers
+    end
+  end
+
   class JwsHeader
     attr_reader :alg, :kid, :tl_version, :tl_headers, :jku
 
     def initialize(args = {})
       raise(Error, "TRUELAYER_SIGNING_CERTIFICATE_ID is missing") \
-        if TrueLayerSigning.certificate_id.nil? ||
-          TrueLayerSigning.certificate_id.empty?
+        if TrueLayerSigning.certificate_id.nil? || TrueLayerSigning.certificate_id.empty?
 
       @alg = args[:alg] || TrueLayerSigning.algorithm
       @kid = args[:kid] || TrueLayerSigning.certificate_id
@@ -15,41 +26,47 @@ module TrueLayerSigning
     end
 
     def to_h
-      hash = instance_variables.map { |var| [var[1..-1].to_sym, instance_variable_get(var)] }.to_h
+      hash = instance_variables.to_h { |var| [var[1..].to_sym, instance_variable_get(var)] }
+
       hash.reject { |key, _value| hash[key].nil? }
     end
 
     def filter_headers(headers)
-      required_header_keys = tl_headers.split(",").reject { |key| key.empty? }
-      normalised_headers = {}
-      headers.to_a.each { |header| normalised_headers[header.first.downcase] = header.last }
+      required_header_keys = tl_headers.split(",").reject(&:empty?)
+      normalised_headers = Utils.normalise_headers!(headers)
+      ordered_headers = validate_declared_headers!(required_header_keys, normalised_headers)
+
+      ordered_headers.to_h
+    end
+
+    private
 
-      ordered_headers = required_header_keys.map do |key|
+    def validate_declared_headers!(required_header_keys, normalised_headers)
+      required_header_keys.map do |key|
         value = normalised_headers[key.downcase]
 
-        raise(Error, "Missing header(s) declared in signature") unless value
+        raise(Error, "Missing header declared in signature: #{key.downcase}") unless value
 
         [key, value]
       end
-
-      ordered_headers.to_h
     end
 
-    private def retrieve_headers(tl_headers)
-      tl_headers && tl_headers.is_a?(Hash) && tl_headers.keys.join(",") || tl_headers || ""
+    def retrieve_headers(tl_headers)
+      (tl_headers.is_a?(Hash) && tl_headers.keys.join(",")) || tl_headers || ""
     end
   end
 
   class JwsBase
     attr_reader :method, :path, :headers, :body
 
-    def initialize(args = {})
+    def initialize(_args = {})
       @method = "POST"
       @headers = {}
     end
 
     def set_method(method)
       @method = method.to_s.upcase
+
       self
     end
 
@@ -57,33 +74,39 @@ module TrueLayerSigning
       raise(Error, "Path must start with '/'") unless path.start_with?("/")
 
       @path = path
+
       self
     end
 
     def add_header(name, value)
       @headers[name.to_s] = value
+
       self
     end
 
     def set_headers(headers)
       headers.each { |name, value| @headers[name.to_s] = value }
+
       self
     end
 
     def set_body(body)
       @body = body
+
       self
     end
 
-    private def build_signing_payload(custom_headers = nil)
+    private
+
+    def build_signing_payload(custom_headers = nil)
       parts = []
       parts.push("#{method.upcase} #{path}")
-      parts.push(custom_headers && format_headers(custom_headers) || format_headers(headers))
+      parts.push((custom_headers && format_headers(custom_headers)) || format_headers(headers))
       parts.push(body)
       parts.reject { |elem| elem.nil? || elem.empty? }.join("\n")
     end
 
-    private def format_headers(headers)
+    def format_headers(headers)
       headers.map { |key, value| "#{key}: #{value}" }.join("\n")
     end
   end

data/lib/truelayer-signing/verifier.rb

@@ -1,11 +1,14 @@
+# frozen_string_literal: true
+
 module TrueLayerSigning
   class Verifier < JwsBase
-    EXPECTED_COORDS_LENGTH = 66.freeze
+    EXPECTED_EC_KEY_COORDS_LENGTH = 66
 
     attr_reader :required_headers, :key_type, :key_value
 
     def initialize(args)
       super
+
       @key_type = args[:key_type]
       @key_value = args[:key_value]
     end
@@ -15,14 +18,12 @@ module TrueLayerSigning
 
       jws_header, jws_header_b64, signature_b64 = self.class.parse_tl_signature(tl_signature)
 
-      raise(Error, "Unexpected `alg` header value") if jws_header.alg != TrueLayerSigning.algorithm
+      validate_algorithm!(jws_header.alg)
 
       ordered_headers = jws_header.filter_headers(headers)
-      normalised_headers = {}
-      ordered_headers.to_a.each { |header| normalised_headers[header.first.downcase] = header.last }
+      normalised_headers = Utils.normalise_headers!(ordered_headers)
 
-      raise(Error, "Signature missing required header(s)") if required_headers &&
-        required_headers.any? { |key| !normalised_headers.has_key?(key.downcase) }
+      validate_required_headers!(normalised_headers)
 
       verify_signature_flex(ordered_headers, jws_header, jws_header_b64, signature_b64)
     end
@@ -30,11 +31,13 @@ module TrueLayerSigning
     def require_header(name)
       @required_headers ||= []
       @required_headers.push(name)
+
       self
     end
 
     def require_headers(names)
       @required_headers = names
+
       self
     end
 
@@ -54,13 +57,15 @@ module TrueLayerSigning
       [jws_header, jws_header_b64, signature_b64]
     end
 
-    private def verify_signature_flex(ordered_headers, jws_header, jws_header_b64, signature_b64)
+    private
+
+    def verify_signature_flex(ordered_headers, jws_header, jws_header_b64, signature_b64)
       full_signature = build_full_signature(ordered_headers, jws_header_b64, signature_b64)
 
       begin
         verify_signature(jws_header, full_signature)
       rescue JWT::VerificationError
-        @path = path.end_with?("/") && path[0...-1] || path + "/"
+        @path = path.end_with?("/") ? path[0...-1] : "#{path}/"
         full_signature = build_full_signature(ordered_headers, jws_header_b64, signature_b64)
 
         begin
@@ -71,13 +76,13 @@ module TrueLayerSigning
       end
     end
 
-    private def build_full_signature(ordered_headers, jws_header_b64, signature_b64)
+    def build_full_signature(ordered_headers, jws_header_b64, signature_b64)
       payload_b64 = Base64.urlsafe_encode64(build_signing_payload(ordered_headers), padding: false)
 
       [jws_header_b64, payload_b64, signature_b64].join(".")
     end
 
-    private def verify_signature(jws_header, full_signature)
+    def verify_signature(jws_header, full_signature)
       case key_type
       when :pem
         public_key = OpenSSL::PKey.read(key_value)
@@ -85,11 +90,16 @@ module TrueLayerSigning
         public_key = retrieve_public_key(:jwks, key_value, jws_header)
       end
 
-      jwt_options = { algorithm: TrueLayerSigning.algorithm }
-      JWT.truelayer_decode(full_signature, public_key, true, jwt_options)
+      jwt_options = {
+        algorithm: TrueLayerSigning.algorithm,
+        verify_expiration: false,
+        verify_not_before: false
+      }
+
+      JWT.truelayer_decode(full_signature, public_key, jwt_options)
     end
 
-    private def retrieve_public_key(key_type, key_value, jws_header)
+    def retrieve_public_key(key_type, key_value, jws_header)
       case key_type
       when :pem
         OpenSSL::PKey.read(key_value)
@@ -107,21 +117,30 @@ module TrueLayerSigning
       end
     end
 
-    private def apply_zero_padding_as_needed(jwk)
+    def apply_zero_padding_as_needed(jwk)
       valid_jwk = jwk.clone
 
       %i(x y).each do |elem|
         coords = Base64.urlsafe_decode64(valid_jwk[elem])
-        length = coords.length
-        diff = EXPECTED_COORDS_LENGTH - length
+        diff = EXPECTED_EC_KEY_COORDS_LENGTH - coords.length
 
-        valid_jwk[elem] = Base64.urlsafe_encode64(("\x00" * diff) + coords) if diff > 0
+        valid_jwk[elem] = Base64.urlsafe_encode64(("\x00" * diff) + coords) if diff.positive?
       end
 
       valid_jwk
     end
 
-    private def ensure_verifier_config!
+    def validate_required_headers!(headers)
+      raise(Error, "Signature missing required header(s)") if required_headers&.any? do |key|
+        !headers.key?(key.downcase)
+      end
+    end
+
+    def validate_algorithm!(algorithm)
+      raise(Error, "Unexpected `alg` header value") if algorithm != TrueLayerSigning.algorithm
+    end
+
+    def ensure_verifier_config!
       raise(Error, "Key value missing") unless key_value
     end
   end

data/lib/truelayer-signing.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "base64"
 require "forwardable"
 require "jwt"

data/test/resources/failed-payment-expired-test-payload.json

@@ -0,0 +1,12 @@
+{
+  "type": "payment_failed",
+  "event_version": 1,
+  "event_id": "6f00897f-f8c8-4ffb-93a3-cfbd311396e2",
+  "payment_id": "2c4db314-b509-4d68-b883-a34ca5fa7b72",
+  "payment_method": {
+    "type": "bank_transfer"
+  },
+  "failed_at": "2023-07-11T17:42:24.123Z",
+  "failure_stage": "authorization_required",
+  "failure_reason": "expired"
+}

data/test/test-truelayer-signing.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "minitest/autorun"
 require "truelayer-signing"
 
@@ -5,12 +7,12 @@ def read_file(path)
   File.read(File.expand_path(path, File.dirname(__FILE__)))
 end
 
-CERTIFICATE_ID = "45fc75cf-5649-4134-84b3-192c2c78e990".freeze
-PRIVATE_KEY = read_file("../../test-resources/ec512-private.pem").freeze
-PUBLIC_KEY = read_file("../../test-resources/ec512-public.pem").freeze
+CERTIFICATE_ID = "45fc75cf-5649-4134-84b3-192c2c78e990"
+PRIVATE_KEY = read_file("../../test-resources/ec512-private.pem")
+PUBLIC_KEY = read_file("../../test-resources/ec512-public.pem")
 
-TrueLayerSigning.certificate_id = CERTIFICATE_ID.freeze
-TrueLayerSigning.private_key = PRIVATE_KEY.freeze
+TrueLayerSigning.certificate_id = CERTIFICATE_ID
+TrueLayerSigning.private_key = PRIVATE_KEY
 
 class TrueLayerSigningTest < Minitest::Test
   def test_full_request_signature_should_succeed
@@ -35,7 +37,7 @@ class TrueLayerSigningTest < Minitest::Test
       .verify(tl_signature)
 
     refute(result.first.include?("\nX-Whatever: aoitbeh\n"))
-    assert(result.first.include?("\nIdempotency-Key: " + idempotency_key + "\n"))
+    assert(result.first.include?("\nIdempotency-Key: #{idempotency_key}\n"))
     assert(result.first
       .start_with?("POST /merchant_accounts/a61acaef-ee05-4077-92f3-25543a11bd8d/sweeping\n"))
   end
@@ -82,11 +84,11 @@ class TrueLayerSigningTest < Minitest::Test
   def test_mismatched_signature_with_attached_valid_body_should_fail
     # Signature for `/bar` but with a valid jws-body pre-attached.
     # If we run a simple jws verify on this unchanged, it'll work!
-    tl_signature = "eyJhbGciOiJFUzUxMiIsImtpZCI6IjQ1ZmM3NWNmLTU2ND" +
-      "ktndeZnC04NGIzLTE5MmMyYzc4ZTk5MCIsInRsX3ZlcnNpb24iOiIyIiwidGxfaGV" +
-      "hZGVycyI6IiJ9.UE9TVCAvYmFyCnt9.ARLa7Q5b8k5CIhfy1qrS-IkNqCDeE-VFRD" +
-      "z7Lb0fXUMOi_Ktck-R7BHDMXFDzbI5TyaxIo5TGHZV_cs0fg96dlSxAERp3UaN2oC" +
-      "QHIE5gQ4m5uU3ee69XfwwU_RpEIMFypycxwq1HOf4LzTLXqP_CDT8DdyX8oTwYdUB" +
+    tl_signature = "eyJhbGciOiJFUzUxMiIsImtpZCI6IjQ1ZmM3NWNmLTU2ND" \
+      "ktndeZnC04NGIzLTE5MmMyYzc4ZTk5MCIsInRsX3ZlcnNpb24iOiIyIiwidGxfaGV" \
+      "hZGVycyI6IiJ9.UE9TVCAvYmFyCnt9.ARLa7Q5b8k5CIhfy1qrS-IkNqCDeE-VFRD" \
+      "z7Lb0fXUMOi_Ktck-R7BHDMXFDzbI5TyaxIo5TGHZV_cs0fg96dlSxAERp3UaN2oC" \
+      "QHIE5gQ4m5uU3ee69XfwwU_RpEIMFypycxwq1HOf4LzTLXqP_CDT8DdyX8oTwYdUB" \
       "d2d3D17Wd9UA"
 
     verifier = TrueLayerSigning.verify_with_pem(PUBLIC_KEY)
@@ -101,11 +103,11 @@ class TrueLayerSigningTest < Minitest::Test
   def test_mismatched_signature_with_attached_valid_body_and_trailing_dots_should_fail
     # Signature for `/bar` but with a valid jws-body pre-attached.
     # If we run a simple jws verify on this unchanged, it'll work!
-    tl_signature = "eyJhbGciOiJFUzUxMiIsImtpZCI6IjQ1ZmM3NWNmLTU2ND" +
-      "ktndeZnC04NGIzLTE5MmMyYzc4ZTk5MCIsInRsX3ZlcnNpb24iOiIyIiwidGxfaGV" +
-      "hZGVycyI6IiJ9.UE9TVCAvYmFyCnt9.ARLa7Q5b8k5CIhfy1qrS-IkNqCDeE-VFRD" +
-      "z7Lb0fXUMOi_Ktck-R7BHDMXFDzbI5TyaxIo5TGHZV_cs0fg96dlSxAERp3UaN2oC" +
-      "QHIE5gQ4m5uU3ee69XfwwU_RpEIMFypycxwq1HOf4LzTLXqP_CDT8DdyX8oTwYdUB" +
+    tl_signature = "eyJhbGciOiJFUzUxMiIsImtpZCI6IjQ1ZmM3NWNmLTU2ND" \
+      "ktndeZnC04NGIzLTE5MmMyYzc4ZTk5MCIsInRsX3ZlcnNpb24iOiIyIiwidGxfaGV" \
+      "hZGVycyI6IiJ9.UE9TVCAvYmFyCnt9.ARLa7Q5b8k5CIhfy1qrS-IkNqCDeE-VFRD" \
+      "z7Lb0fXUMOi_Ktck-R7BHDMXFDzbI5TyaxIo5TGHZV_cs0fg96dlSxAERp3UaN2oC" \
+      "QHIE5gQ4m5uU3ee69XfwwU_RpEIMFypycxwq1HOf4LzTLXqP_CDT8DdyX8oTwYdUB" \
       "d2d3D17Wd9UA...."
 
     verifier = TrueLayerSigning.verify_with_pem(PUBLIC_KEY)
@@ -132,7 +134,7 @@ class TrueLayerSigningTest < Minitest::Test
       .verify(tl_signature)
 
     refute(result.first.include?("\nX-Whatever-2: t2345d\n"))
-    assert(result.first.include?("\nIdempotency-Key: " + idempotency_key + "\n"))
+    assert(result.first.include?("\nIdempotency-Key: #{idempotency_key}\n"))
     assert(result.first
       .start_with?("POST /merchant_accounts/a61acaef-ee05-4077-92f3-25543a11bd8d/sweeping\n"))
   end
@@ -314,7 +316,7 @@ class TrueLayerSigningTest < Minitest::Test
       .set_body(body)
 
     error = assert_raises(TrueLayerSigning::Error) { verifier.verify(tl_signature) }
-    assert_equal("Missing header(s) declared in signature", error.message)
+    assert_equal("Missing header declared in signature: idempotency-key", error.message)
   end
 
   def test_full_request_signature_missing_required_header_should_fail
@@ -455,39 +457,61 @@ class TrueLayerSigningTest < Minitest::Test
     assert_equal("Signature verification failed", error.message)
   end
 
+  # This test reproduces an issue we had with an edge case
+  def test_verify_with_failed_payment_expired_webhook_should_succeed
+    path = "/tl-webhook"
+    payload = read_file("resources/failed-payment-expired-test-payload.json")
+    body = JSON.parse(payload).to_json
+
+    tl_signature = TrueLayerSigning.sign_with_pem
+      .set_method(:post)
+      .set_path(path)
+      .set_body(body)
+      .sign
+
+    result = TrueLayerSigning.verify_with_pem(PUBLIC_KEY)
+      .set_method(:post)
+      .set_path(path)
+      .set_body(body)
+      .verify(tl_signature)
+
+    assert(result.first.start_with?("POST /tl-webhook\n"))
+    assert(result.first.include?("\"failure_reason\":\"expired\""))
+  end
+
   def test_sign_with_pem_and_custom_jku_should_succeed
     body = { currency: "GBP", max_amount_in_minor: 50_000_00 }.to_json
     idempotency_key = "idemp-2076717c-9005-4811-a321-9e0787fa0382"
     path = "/merchant_accounts/a61acaef-ee05-4077-92f3-25543a11bd8d/sweeping"
 
-    tl_signature_1 = TrueLayerSigning.sign_with_pem
+    tl_signature_a = TrueLayerSigning.sign_with_pem
       .set_path(path)
       .add_header("Idempotency-Key", idempotency_key)
       .set_body(body)
       .sign
 
-    jws_header_1 = TrueLayerSigning.extract_jws_header(tl_signature_1)
+    jws_header_a = TrueLayerSigning.extract_jws_header(tl_signature_a)
 
-    assert_nil(jws_header_1.jku)
+    assert_nil(jws_header_a.jku)
 
-    tl_signature_2 = TrueLayerSigning.sign_with_pem
+    tl_signature_b = TrueLayerSigning.sign_with_pem
       .set_path(path)
       .add_header("Idempotency-Key", idempotency_key)
       .set_body(body)
       .set_jku("https://webhooks.truelayer.com/.well-known/jwks")
       .sign
 
-    jws_header_2 = TrueLayerSigning.extract_jws_header(tl_signature_2)
+    jws_header_b = TrueLayerSigning.extract_jws_header(tl_signature_b)
 
-    assert_equal("https://webhooks.truelayer.com/.well-known/jwks", jws_header_2.jku)
+    assert_equal("https://webhooks.truelayer.com/.well-known/jwks", jws_header_b.jku)
   end
 
   # TODO: remove if/when we get rid of `lib/truelayer-signing/jwt.rb`
   def test_jwt_encode_and_decode_should_succeed
     payload_object = { currency: "GBP", max_amount_in_minor: 50_000_00 }
-    token_when_object = "eyJhbGciOiJIUzI1NiJ9.eyJjdXJyZW5jeSI6IkdCUCIsIm1heF9hbW" +
+    token_when_object = "eyJhbGciOiJIUzI1NiJ9.eyJjdXJyZW5jeSI6IkdCUCIsIm1heF9hbW" \
       "91bnRfaW5fbWlub3IiOjUwMDAwMDB9.SjbwZCqTl6G7LQNs_M6oQhwl3a9rbqO7p3cVncLtgZY"
-    token_when_json = "eyJhbGciOiJIUzI1NiJ9.IntcImN1cnJlbmN5XCI6XCJHQlBcIixcIm1h" +
+    token_when_json = "eyJhbGciOiJIUzI1NiJ9.IntcImN1cnJlbmN5XCI6XCJHQlBcIixcIm1h" \
       "eF9hbW91bnRfaW5fbWlub3JcIjo1MDAwMDAwfSI.rvCcgu-JevsNxbjUwJiFOuTd0hzVKvPK5RvGmaoDc7E"
 
     # succeeds with a hash object
@@ -508,7 +532,7 @@ class TrueLayerSigningTest < Minitest::Test
   # TODO: remove if/when we get rid of `lib/truelayer-signing/jwt.rb`
   def test_jwt_truelayer_encode_and_decode_when_given_json_should_succeed
     payload_json = { currency: "GBP", max_amount_in_minor: 50_000_00 }.to_json
-    token_when_json = "eyJhbGciOiJIUzI1NiJ9.eyJjdXJyZW5jeSI6IkdCUCIsIm1heF9hbW9" +
+    token_when_json = "eyJhbGciOiJIUzI1NiJ9.eyJjdXJyZW5jeSI6IkdCUCIsIm1heF9hbW9" \
       "1bnRfaW5fbWlub3IiOjUwMDAwMDB9.SjbwZCqTl6G7LQNs_M6oQhwl3a9rbqO7p3cVncLtgZY"
 
     assert_equal(token_when_json, JWT.truelayer_encode(payload_json, "12345", "HS256", {}))
@@ -527,7 +551,7 @@ class TrueLayerSigningTest < Minitest::Test
 
   # TODO: remove if/when we get rid of `lib/truelayer-signing/jwt.rb`
   def test_jwt_truelayer_decode_when_given_a_hash_should_succeed
-    token_when_object = "eyJhbGciOiJIUzI1NiJ9.eyJjdXJyZW5jeSI6IkdCUCIsIm1heF9hbW" +
+    token_when_object = "eyJhbGciOiJIUzI1NiJ9.eyJjdXJyZW5jeSI6IkdCUCIsIm1heF9hbW" \
       "91bnRfaW5fbWlub3IiOjUwMDAwMDB9.SjbwZCqTl6G7LQNs_M6oQhwl3a9rbqO7p3cVncLtgZY"
 
     assert_equal(

data/truelayer-signing.gemspec

@@ -1,8 +1,10 @@
-$LOAD_PATH.unshift(::File.join(::File.dirname(__FILE__), "lib"))
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), "lib"))
 
 Gem::Specification.new do |s|
   s.name = "truelayer-signing"
-  s.version = "0.2.0"
+  s.version = "0.2.2"
   s.summary = "Ruby gem to produce and verify TrueLayer API requests signatures"
   s.description = "TrueLayer provides instant access to open banking to " \
     "easily integrate next-generation payments and financial data into any app." \
@@ -14,12 +16,21 @@ Gem::Specification.new do |s|
 
   s.metadata = {
     "bug_tracker_uri" => "https://github.com/TrueLayer/truelayer-signing/issues",
-    "changelog_uri" => "https://github.com/TrueLayer/truelayer-signing/blob/main/ruby/CHANGELOG.md",
+    "changelog_uri" => "https://github.com/TrueLayer/truelayer-signing/blob/main/ruby/CHANGELOG.md"
   }
 
-  s.files = Dir["./**/*"]
-  s.require_paths = ["lib"]
+  s.files = Dir[
+    "CHANGELOG.md",
+    "Gemfile",
+    "LICENSE*",
+    "README.md",
+    "Rakefile",
+    "lib/**/*.*",
+    "test/**/*.*",
+    "truelayer-signing.gemspec",
+  ]
+  s.require_path = "lib"
 
   s.required_ruby_version = ">= 2.7"
-  s.add_runtime_dependency("jwt",  "~> 2.7")
+  s.add_runtime_dependency("jwt", "~> 2.7")
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: truelayer-signing
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.2
 platform: ruby
 authors:
 - Kevin Plattret
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-06-13 00:00:00.000000000 Z
+date: 2023-12-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -32,30 +32,25 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- "./CHANGELOG.md"
-- "./LICENSE-APACHE"
-- "./LICENSE-MIT"
-- "./README.md"
-- "./Rakefile"
-- "./examples/sign-request/Gemfile"
-- "./examples/sign-request/README.md"
-- "./examples/sign-request/main.rb"
-- "./examples/webhook-server/Gemfile"
-- "./examples/webhook-server/Gemfile.lock"
-- "./examples/webhook-server/README.md"
-- "./examples/webhook-server/main.rb"
-- "./lib/truelayer-signing.rb"
-- "./lib/truelayer-signing/config.rb"
-- "./lib/truelayer-signing/errors.rb"
-- "./lib/truelayer-signing/jwt.rb"
-- "./lib/truelayer-signing/signer.rb"
-- "./lib/truelayer-signing/utils.rb"
-- "./lib/truelayer-signing/verifier.rb"
-- "./test/resources/missing-zero-padding-test-jwks.json"
-- "./test/resources/missing-zero-padding-test-payload.json"
-- "./test/resources/missing-zero-padding-test-signature.txt"
-- "./test/test-truelayer-signing.rb"
-- "./truelayer-signing.gemspec"
+- CHANGELOG.md
+- Gemfile
+- LICENSE-APACHE
+- LICENSE-MIT
+- README.md
+- Rakefile
+- lib/truelayer-signing.rb
+- lib/truelayer-signing/config.rb
+- lib/truelayer-signing/errors.rb
+- lib/truelayer-signing/jwt.rb
+- lib/truelayer-signing/signer.rb
+- lib/truelayer-signing/utils.rb
+- lib/truelayer-signing/verifier.rb
+- test/resources/failed-payment-expired-test-payload.json
+- test/resources/missing-zero-padding-test-jwks.json
+- test/resources/missing-zero-padding-test-payload.json
+- test/resources/missing-zero-padding-test-signature.txt
+- test/test-truelayer-signing.rb
+- truelayer-signing.gemspec
 homepage: https://github.com/TrueLayer/truelayer-signing/tree/main/ruby
 licenses:
 - Apache-2.0
@@ -63,7 +58,7 @@ licenses:
 metadata:
   bug_tracker_uri: https://github.com/TrueLayer/truelayer-signing/issues
   changelog_uri: https://github.com/TrueLayer/truelayer-signing/blob/main/ruby/CHANGELOG.md
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -78,8 +73,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.13
-signing_key:
+rubygems_version: 3.4.10
+signing_key: 
 specification_version: 4
 summary: Ruby gem to produce and verify TrueLayer API requests signatures
 test_files: []

data/examples/sign-request/Gemfile

@@ -1,4 +0,0 @@
-source "https://rubygems.org"
-
-gem "http"
-gem "truelayer-signing"

data/examples/sign-request/README.md

@@ -1,27 +0,0 @@
-# Ruby request signature example
-
-Sends a signed request to `https://api.truelayer-sandbox.com/test-signature`.
-
-## Run
-
-Set the following environment variables:
-
-* `TRUELAYER_SIGNING_ACCESS_TOKEN` – a valid JWT access token for the `payments` scope (see our
-    [docs](https://docs.truelayer.com/docs/retrieve-a-token-in-your-server)).
-* `TRUELAYER_SIGNING_CERTIFICATE_ID` – the certificate/key UUID associated with your public key
-    uploaded at [console.truelayer.com](https://console.truelayer.com).
-* `TRUELAYER_SIGNING_PRIVATE_KEY` – the private key PEM string that matches the certificate ID of the
-    uploaded public key. Should have the same format as [this example private
-    key](https://github.com/TrueLayer/truelayer-signing/blob/main/test-resources/ec512-private.pem).
-
-Install the required dependencies:
-
-```sh
-$ bundle
-```
-
-Execute the request-signing example script: 
-
-```sh
-$ ruby main.rb
-```

data/examples/sign-request/main.rb

@@ -1,46 +0,0 @@
-require "http"
-require "securerandom"
-require "truelayer-signing"
-
-class TrueLayerSigningExamples
-  # Set required environment variables
-  TRUELAYER_SIGNING_ACCESS_TOKEN = ENV.fetch("TRUELAYER_SIGNING_ACCESS_TOKEN", nil).freeze
-  TRUELAYER_SIGNING_BASE_URL = "https://api.truelayer-sandbox.com".freeze
-
-  raise(StandardError, "TRUELAYER_SIGNING_ACCESS_TOKEN is missing") \
-    if TRUELAYER_SIGNING_ACCESS_TOKEN.nil? || TRUELAYER_SIGNING_ACCESS_TOKEN.empty?
-
-  class << self
-    def test_signature_endpoint
-      url = "#{TRUELAYER_SIGNING_BASE_URL}/test-signature"
-      idempotency_key = SecureRandom.uuid
-
-      # A random body string is enough for this request as the `/test-signature` endpoint does not
-      # require any schema, it simply checks the signature is valid against what's received.
-      body = "body-#{SecureRandom.uuid}"
-
-      # Generate a `Tl-Signature`
-      signature = TrueLayerSigning.sign_with_pem
-        .set_method("POST")
-        .set_path("/test-signature")
-        # Optional: `/test-signature` does not require any headers, but we may sign some anyway.
-        # All signed headers *must* be included unmodified in the request.
-        .add_header("Idempotency-Key", idempotency_key)
-        .add_header("X-Bar-Header", "abc123")
-        .set_body(body)
-        .sign
-
-      response = HTTP.auth("Bearer #{TRUELAYER_SIGNING_ACCESS_TOKEN}")
-        .headers(idempotency_key: idempotency_key)
-        .headers(x_bar_header: "abc123")
-        .headers(tl_signature: signature)
-        .post(url, body: body)
-
-      return puts "✓ Signature is valid" if response.status.success?
-
-      puts JSON.pretty_generate(JSON.parse(response.to_s))
-    end
-  end
-end
-
-TrueLayerSigningExamples.test_signature_endpoint

data/examples/webhook-server/Gemfile

@@ -1,5 +0,0 @@
-source "https://rubygems.org"
-
-gem "http"
-gem "truelayer-signing"
-gem "webrick"

data/examples/webhook-server/Gemfile.lock

@@ -1,42 +0,0 @@
-GEM
-  remote: https://rubygems.org/
-  specs:
-    addressable (2.8.4)
-      public_suffix (>= 2.0.2, < 6.0)
-    domain_name (0.5.20190701)
-      unf (>= 0.0.5, < 1.0.0)
-    ffi (1.15.5)
-    ffi-compiler (1.0.1)
-      ffi (>= 1.0.0)
-      rake
-    http (5.1.1)
-      addressable (~> 2.8)
-      http-cookie (~> 1.0)
-      http-form_data (~> 2.2)
-      llhttp-ffi (~> 0.4.0)
-    http-cookie (1.0.5)
-      domain_name (~> 0.5)
-    http-form_data (2.3.0)
-    jwt (2.7.0)
-    llhttp-ffi (0.4.0)
-      ffi-compiler (~> 1.0)
-      rake (~> 13.0)
-    public_suffix (5.0.1)
-    rake (13.0.6)
-    truelayer-signing (0.2.0)
-      jwt (~> 2.7)
-    unf (0.1.4)
-      unf_ext
-    unf_ext (0.0.8.2)
-    webrick (1.8.1)
-
-PLATFORMS
-  arm64-darwin-21
-
-DEPENDENCIES
-  http
-  truelayer-signing
-  webrick
-
-BUNDLED WITH
-   2.4.13

data/examples/webhook-server/README.md

@@ -1,30 +0,0 @@
-# Ruby webhook server example
-
-An HTTP server that can receive and verify signed TrueLayer webhooks.
-
-## Run
-
-Install the required dependencies:
-
-```sh
-$ bundle
-```
-
-Run the server locally:
-
-```sh
-$ ruby main.rb
-```
-
-Send a valid webhook that was signed for the path `/hook/d7a2c49d-110a-4ed2-a07d-8fdb3ea6424b`:
-
-```sh
-curl -iX POST -H "Content-Type: application/json" \
-    -H "X-Tl-Webhook-Timestamp: 2022-03-11T14:00:33Z" \
-    -H "Tl-Signature: eyJhbGciOiJFUzUxMiIsImtpZCI6IjFmYzBlNTlmLWIzMzUtNDdjYS05OWE5LTczNzQ5NTc1NmE1OCIsInRsX3ZlcnNpb24iOiIyIiwidGxfaGVhZGVycyI6IngtdGwtd2ViaG9vay10aW1lc3RhbXAiLCJqa3UiOiJodHRwczovL3dlYmhvb2tzLnRydWVsYXllci5jb20vLndlbGwta25vd24vandrcyJ9..AE_QsBRhnsMkcRzd42wvY1e2HruUhkOgjuZKktGH_WmbD7rBzoaEHUuF36IxyyvCbLajd3MBExNmzjbrOQsGaspwAI5DcGVMFLKUhB7ZzUlTP9up3eNUrdwWyyfBWDQb-qmEuLnrhFDJvgCXEqlV5OLrt-O7LaRAJ4f9KHsZLQ_j2vPC" \
-    -d "{\"event_type\":\"payout_settled\",\"event_schema_version\":1,\"event_id\":\"8fb9fb4e-bb2b-400b-af64-59e5dde74bad\",\"event_body\":{\"transaction_id\":\"c34c8721-66a9-49f6-a229-284efcf88a02\",\"settled_at\":\"2022-03-11T14:00:32.933000Z\"}}" \
-    http://localhost:4567/hook/d7a2c49d-110a-4ed2-a07d-8fdb3ea6424b
-```
-
-Modifying the `X-Tl-Webhook-Timestamp` header, the body or the path of the request will cause the
-above signature to be invalid.

data/examples/webhook-server/main.rb

@@ -1,95 +0,0 @@
-require "http"
-require "truelayer-signing"
-require "webrick"
-
-class TrueLayerSigningExamples
-  # Note: the webhook path can be whatever is configured for your application.
-  # Here a unique path is used, matching the example signature in the README.
-  WEBHOOK_PATH = "/hook/d7a2c49d-110a-4ed2-a07d-8fdb3ea6424b".freeze
-
-  class << self
-    def run_webhook_server
-      server = WEBrick::HTTPServer.new(Port: 4567)
-
-      puts "Server running at http://localhost:4567"
-
-      server.mount_proc('/') do |req, res|
-        request = parse_request(req)
-        status, body = handle_request.call(request)
-        headers = { "Content-Type" => "text/plain" }
-
-        send_response(res, status, headers, body)
-      rescue => error
-        puts error
-      end
-
-      server.start
-    ensure
-      server.shutdown
-    end
-
-    private def parse_request(request)
-      {
-        method: request.request_method,
-        path: request.path,
-        headers: headers_to_hash(request.header),
-        body: request.body
-      }
-    end
-
-    private def handle_request
-      Proc.new do |request|
-        if request[:method] == "POST" && request[:path] == WEBHOOK_PATH
-          verify_webhook(request[:path], request[:headers], request[:body])
-        else
-          ["403", "Forbidden"]
-        end
-      end
-    end
-
-    private def verify_webhook(path, headers, body)
-      tl_signature = headers["tl-signature"]
-
-      return ["400", "Bad Request – Header `Tl-Signature` missing"] unless tl_signature
-
-      jku = TrueLayerSigning.extract_jws_header(tl_signature).jku
-
-      return ["400", "Bad Request – Signature missing `jku`"] unless jku
-      return ["401", "Unauthorized – Unpermitted `jku`"] \
-        unless jku == "https://webhooks.truelayer.com/.well-known/jwks" ||
-          jku == "https://webhooks.truelayer-sandbox.com/.well-known/jwks"
-
-      jwks = HTTP.get(jku)
-
-      return ["401", "Unauthorized – Unavailable `jwks` resource"] unless jwks.status.success?
-
-      begin
-        TrueLayerSigning.verify_with_jwks(jwks.to_s)
-          .set_method(:post)
-          .set_path(path)
-          .set_headers(headers)
-          .set_body(body)
-          .verify(tl_signature)
-
-        ["202", "Accepted"]
-      rescue TrueLayerSigning::Error => error
-        puts error
-
-        ["401", "Unauthorized"]
-      end
-    end
-
-    private def headers_to_hash(headers)
-      headers.transform_keys { |key| key.to_s.strip.downcase }.transform_values(&:first)
-    end
-
-    private def send_response(response, status, headers, body)
-      response.status = status
-      response.header.merge!(headers)
-      response.body = body
-      response
-    end
-  end
-end
-
-TrueLayerSigningExamples.run_webhook_server