truelayer-signing 0.2.1 → 0.2.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 751c6c37cee7adedf204491894146d577e70b310d9cd50504c01c29836743271
-  data.tar.gz: d2b7de41a966d0e114dd368320f35578714a674da1d76121d500944f0c33596b
+  metadata.gz: 2bd92901150104b3d2212252852071a8c3a1ed2e0a8f48ce72cb934686931bb9
+  data.tar.gz: 6ca20861d24c36d2380e070ad9d2cc47d55614cdafbf3f0ba77505b64984ec7c
 SHA512:
-  metadata.gz: 88a7bc727e82df06eccb1992036730e49f6de45a6d38d6df7d2cf8d749441a8d1f5be031e59410e45778da20d84fac03bb07f7bf11103387893baebd4d86af2b
-  data.tar.gz: 249a44e6a94171f89f69f1e53aff377bee6ac6de33a3f2383a6c7f4ed94b517e216cd81da450caf1f363f21e1a8f60edcb6dfc71481af0c7fc70336d028ea0de
+  metadata.gz: b1b988b8a58ba51af8f6f4462e1de6871a0d79fa3d12bba9f7d12bb6ee6e14e22acc9c09268b11d622d2a6848f6ba070cc2704e6baa4b501dc89c59eb5870206
+  data.tar.gz: c4afccedb9a1f9b3676b1b69238ce0b9b4016fc883a947a44d9945f2c27944ba97373e4bd01c111cfc23ad5f4120c1075e12e4c25ed6714b1718576a6711dc62

data/CHANGELOG.md

@@ -9,6 +9,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - ...
 
+## [0.2.3] – 2024-07-29
+
+- Fix `Gemspec/AddRuntimeDependency` linter error
+- Pin minor version for `jwt 2.7.0`
+
+## [0.2.2] – 2023-12-07
+
+- Add code linter
+
 ## [0.2.1] – 2023-07-14
 
 - Disable expiration verification

data/Gemfile

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gem "rubocop", "~> 1.57", require: false

data/Rakefile

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "rake/testtask"
 
 Rake::TestTask.new do |t|

data/lib/truelayer-signing/config.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module TrueLayerSigning
   class Config
     attr_accessor :certificate_id, :private_key
@@ -12,10 +14,10 @@ module TrueLayerSigning
 
     # @return [TrueLayerSigning::Config]
     def initialize
-      @algorithm = "ES512".freeze
-      @certificate_id = ENV.fetch("TRUELAYER_SIGNING_CERTIFICATE_ID", nil).freeze
-      @private_key = ENV.fetch("TRUELAYER_SIGNING_PRIVATE_KEY", nil)&.gsub(/\\n/, "\n").freeze
-      @version = "2".freeze
+      @algorithm = "ES512"
+      @certificate_id = ENV.fetch("TRUELAYER_SIGNING_CERTIFICATE_ID", nil)
+      @private_key = ENV.fetch("TRUELAYER_SIGNING_PRIVATE_KEY", nil)&.gsub("\\n", "\n")
+      @version = "2"
     end
   end
 end

data/lib/truelayer-signing/errors.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module TrueLayerSigning
   class Error < StandardError; end
 end

data/lib/truelayer-signing/jwt.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # TODO: this is a custom patch of payload-related methods, from the 'jwt' gem.
 # It prevents the payload from being systematically converted to and from JSON.
 # To be changed in the 'jwt' gem directly, or hard-coded in this library.
@@ -5,18 +7,22 @@ module JWT
   module_function
 
   class TrueLayerEncode < Encode
+    private
+
     # See https://github.com/jwt/ruby-jwt/blob/main/lib/jwt/encode.rb#L53-L55
-    private def encode_payload
+    def encode_payload
       ::JWT::Base64.url_encode(@payload)
     end
   end
 
   class TrueLayerDecode < Decode
+    private
+
     # See https://github.com/jwt/ruby-jwt/blob/main/lib/jwt/decode.rb#L154-L156
-    private def payload
+    def payload
       @payload ||= ::JWT::Base64.url_decode(@segments[1])
     rescue ::JSON::ParserError
-      raise JWT::DecodeError, 'Invalid segment encoding'
+      raise JWT::DecodeError, "Invalid segment encoding"
     end
   end
 
@@ -29,6 +35,7 @@ module JWT
     ).segments
   end
 
+  # rubocop:disable Style/OptionalArguments, Style/OptionalBooleanParameter
   def truelayer_decode(jwt, key, verify = true, options, &keyfinder)
     TrueLayerDecode.new(
       jwt,
@@ -38,4 +45,5 @@ module JWT
       &keyfinder
     ).decode_segments
   end
+  # rubocop:enable Style/OptionalArguments, Style/OptionalBooleanParameter
 end

data/lib/truelayer-signing/signer.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module TrueLayerSigning
   class Signer < JwsBase
     attr_reader :jws_jku
@@ -6,13 +8,13 @@ module TrueLayerSigning
       ensure_signer_config!
 
       private_key = OpenSSL::PKey.read(TrueLayerSigning.private_key)
-      jws_header_args = { tl_headers: headers }
-
-      jws_header_args[:jku] = jws_jku if jws_jku
-
-      jws_header = TrueLayerSigning::JwsHeader.new(jws_header_args).to_h
-      jwt = JWT.truelayer_encode(build_signing_payload, private_key, TrueLayerSigning.algorithm,
-        jws_header)
+      jws_header = generate_jws_header!
+      jwt = JWT.truelayer_encode(
+        build_signing_payload,
+        private_key,
+        TrueLayerSigning.algorithm,
+        jws_header
+      )
       header, _, signature = jwt.split(".")
 
       "#{header}..#{signature}"
@@ -24,13 +26,20 @@ module TrueLayerSigning
       self
     end
 
-    private def ensure_signer_config!
+    private
+
+    def generate_jws_header!
+      jws_header_args = { tl_headers: headers }
+      jws_header_args[:jku] = jws_jku if jws_jku
+
+      TrueLayerSigning::JwsHeader.new(jws_header_args).to_h
+    end
+
+    def ensure_signer_config!
       raise(Error, "TRUELAYER_SIGNING_CERTIFICATE_ID missing") \
-        if TrueLayerSigning.certificate_id.nil? ||
-          TrueLayerSigning.certificate_id.empty?
+        if TrueLayerSigning.certificate_id.nil? || TrueLayerSigning.certificate_id.empty?
       raise(Error, "TRUELAYER_SIGNING_PRIVATE_KEY missing") \
-        if TrueLayerSigning.private_key.nil? ||
-          TrueLayerSigning.private_key.empty?
+        if TrueLayerSigning.private_key.nil? || TrueLayerSigning.private_key.empty?
       raise(Error, "Request path missing") unless path
       raise(Error, "Request body missing") unless body
     end

data/lib/truelayer-signing/utils.rb

@@ -1,11 +1,22 @@
+# frozen_string_literal: true
+
 module TrueLayerSigning
+  class Utils
+    def self.normalise_headers!(headers)
+      normalised_headers = {}
+
+      headers.to_a.each { |header| normalised_headers[header.first.downcase] = header.last }
+
+      normalised_headers
+    end
+  end
+
   class JwsHeader
     attr_reader :alg, :kid, :tl_version, :tl_headers, :jku
 
     def initialize(args = {})
       raise(Error, "TRUELAYER_SIGNING_CERTIFICATE_ID is missing") \
-        if TrueLayerSigning.certificate_id.nil? ||
-          TrueLayerSigning.certificate_id.empty?
+        if TrueLayerSigning.certificate_id.nil? || TrueLayerSigning.certificate_id.empty?
 
       @alg = args[:alg] || TrueLayerSigning.algorithm
       @kid = args[:kid] || TrueLayerSigning.certificate_id
@@ -15,37 +26,40 @@ module TrueLayerSigning
     end
 
     def to_h
-      hash = instance_variables.map { |var| [var[1..-1].to_sym, instance_variable_get(var)] }.to_h
+      hash = instance_variables.to_h { |var| [var[1..].to_sym, instance_variable_get(var)] }
 
       hash.reject { |key, _value| hash[key].nil? }
     end
 
     def filter_headers(headers)
-      required_header_keys = tl_headers.split(",").reject { |key| key.empty? }
-      normalised_headers = {}
+      required_header_keys = tl_headers.split(",").reject(&:empty?)
+      normalised_headers = Utils.normalise_headers!(headers)
+      ordered_headers = validate_declared_headers!(required_header_keys, normalised_headers)
 
-      headers.to_a.each { |header| normalised_headers[header.first.downcase] = header.last }
+      ordered_headers.to_h
+    end
+
+    private
 
-      ordered_headers = required_header_keys.map do |key|
+    def validate_declared_headers!(required_header_keys, normalised_headers)
+      required_header_keys.map do |key|
         value = normalised_headers[key.downcase]
 
         raise(Error, "Missing header declared in signature: #{key.downcase}") unless value
 
         [key, value]
       end
-
-      ordered_headers.to_h
     end
 
-    private def retrieve_headers(tl_headers)
-      tl_headers && tl_headers.is_a?(Hash) && tl_headers.keys.join(",") || tl_headers || ""
+    def retrieve_headers(tl_headers)
+      (tl_headers.is_a?(Hash) && tl_headers.keys.join(",")) || tl_headers || ""
     end
   end
 
   class JwsBase
     attr_reader :method, :path, :headers, :body
 
-    def initialize(args = {})
+    def initialize(_args = {})
       @method = "POST"
       @headers = {}
     end
@@ -82,15 +96,17 @@ module TrueLayerSigning
       self
     end
 
-    private def build_signing_payload(custom_headers = nil)
+    private
+
+    def build_signing_payload(custom_headers = nil)
       parts = []
       parts.push("#{method.upcase} #{path}")
-      parts.push(custom_headers && format_headers(custom_headers) || format_headers(headers))
+      parts.push((custom_headers && format_headers(custom_headers)) || format_headers(headers))
       parts.push(body)
       parts.reject { |elem| elem.nil? || elem.empty? }.join("\n")
     end
 
-    private def format_headers(headers)
+    def format_headers(headers)
       headers.map { |key, value| "#{key}: #{value}" }.join("\n")
     end
   end

data/lib/truelayer-signing/verifier.rb

@@ -1,6 +1,8 @@
+# frozen_string_literal: true
+
 module TrueLayerSigning
   class Verifier < JwsBase
-    EXPECTED_EC_KEY_COORDS_LENGTH = 66.freeze
+    EXPECTED_EC_KEY_COORDS_LENGTH = 66
 
     attr_reader :required_headers, :key_type, :key_value
 
@@ -16,15 +18,12 @@ module TrueLayerSigning
 
       jws_header, jws_header_b64, signature_b64 = self.class.parse_tl_signature(tl_signature)
 
-      raise(Error, "Unexpected `alg` header value") if jws_header.alg != TrueLayerSigning.algorithm
+      validate_algorithm!(jws_header.alg)
 
       ordered_headers = jws_header.filter_headers(headers)
-      normalised_headers = {}
-
-      ordered_headers.to_a.each { |header| normalised_headers[header.first.downcase] = header.last }
+      normalised_headers = Utils.normalise_headers!(ordered_headers)
 
-      raise(Error, "Signature missing required header(s)") if required_headers &&
-        required_headers.any? { |key| !normalised_headers.has_key?(key.downcase) }
+      validate_required_headers!(normalised_headers)
 
       verify_signature_flex(ordered_headers, jws_header, jws_header_b64, signature_b64)
     end
@@ -58,13 +57,15 @@ module TrueLayerSigning
       [jws_header, jws_header_b64, signature_b64]
     end
 
-    private def verify_signature_flex(ordered_headers, jws_header, jws_header_b64, signature_b64)
+    private
+
+    def verify_signature_flex(ordered_headers, jws_header, jws_header_b64, signature_b64)
       full_signature = build_full_signature(ordered_headers, jws_header_b64, signature_b64)
 
       begin
         verify_signature(jws_header, full_signature)
       rescue JWT::VerificationError
-        @path = path.end_with?("/") && path[0...-1] || path + "/"
+        @path = path.end_with?("/") ? path[0...-1] : "#{path}/"
         full_signature = build_full_signature(ordered_headers, jws_header_b64, signature_b64)
 
         begin
@@ -75,13 +76,13 @@ module TrueLayerSigning
       end
     end
 
-    private def build_full_signature(ordered_headers, jws_header_b64, signature_b64)
+    def build_full_signature(ordered_headers, jws_header_b64, signature_b64)
       payload_b64 = Base64.urlsafe_encode64(build_signing_payload(ordered_headers), padding: false)
 
       [jws_header_b64, payload_b64, signature_b64].join(".")
     end
 
-    private def verify_signature(jws_header, full_signature)
+    def verify_signature(jws_header, full_signature)
       case key_type
       when :pem
         public_key = OpenSSL::PKey.read(key_value)
@@ -98,7 +99,7 @@ module TrueLayerSigning
       JWT.truelayer_decode(full_signature, public_key, jwt_options)
     end
 
-    private def retrieve_public_key(key_type, key_value, jws_header)
+    def retrieve_public_key(key_type, key_value, jws_header)
       case key_type
       when :pem
         OpenSSL::PKey.read(key_value)
@@ -116,20 +117,30 @@ module TrueLayerSigning
       end
     end
 
-    private def apply_zero_padding_as_needed(jwk)
+    def apply_zero_padding_as_needed(jwk)
       valid_jwk = jwk.clone
 
       %i(x y).each do |elem|
         coords = Base64.urlsafe_decode64(valid_jwk[elem])
         diff = EXPECTED_EC_KEY_COORDS_LENGTH - coords.length
 
-        valid_jwk[elem] = Base64.urlsafe_encode64(("\x00" * diff) + coords) if diff > 0
+        valid_jwk[elem] = Base64.urlsafe_encode64(("\x00" * diff) + coords) if diff.positive?
       end
 
       valid_jwk
     end
 
-    private def ensure_verifier_config!
+    def validate_required_headers!(headers)
+      raise(Error, "Signature missing required header(s)") if required_headers&.any? do |key|
+        !headers.key?(key.downcase)
+      end
+    end
+
+    def validate_algorithm!(algorithm)
+      raise(Error, "Unexpected `alg` header value") if algorithm != TrueLayerSigning.algorithm
+    end
+
+    def ensure_verifier_config!
       raise(Error, "Key value missing") unless key_value
     end
   end

data/lib/truelayer-signing.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "base64"
 require "forwardable"
 require "jwt"

data/test/test-truelayer-signing.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require "minitest/autorun"
 require "truelayer-signing"
 
@@ -5,12 +7,12 @@ def read_file(path)
   File.read(File.expand_path(path, File.dirname(__FILE__)))
 end
 
-CERTIFICATE_ID = "45fc75cf-5649-4134-84b3-192c2c78e990".freeze
-PRIVATE_KEY = read_file("../../test-resources/ec512-private.pem").freeze
-PUBLIC_KEY = read_file("../../test-resources/ec512-public.pem").freeze
+CERTIFICATE_ID = "45fc75cf-5649-4134-84b3-192c2c78e990"
+PRIVATE_KEY = read_file("../../test-resources/ec512-private.pem")
+PUBLIC_KEY = read_file("../../test-resources/ec512-public.pem")
 
-TrueLayerSigning.certificate_id = CERTIFICATE_ID.freeze
-TrueLayerSigning.private_key = PRIVATE_KEY.freeze
+TrueLayerSigning.certificate_id = CERTIFICATE_ID
+TrueLayerSigning.private_key = PRIVATE_KEY
 
 class TrueLayerSigningTest < Minitest::Test
   def test_full_request_signature_should_succeed
@@ -35,7 +37,7 @@ class TrueLayerSigningTest < Minitest::Test
       .verify(tl_signature)
 
     refute(result.first.include?("\nX-Whatever: aoitbeh\n"))
-    assert(result.first.include?("\nIdempotency-Key: " + idempotency_key + "\n"))
+    assert(result.first.include?("\nIdempotency-Key: #{idempotency_key}\n"))
     assert(result.first
       .start_with?("POST /merchant_accounts/a61acaef-ee05-4077-92f3-25543a11bd8d/sweeping\n"))
   end
@@ -82,11 +84,11 @@ class TrueLayerSigningTest < Minitest::Test
   def test_mismatched_signature_with_attached_valid_body_should_fail
     # Signature for `/bar` but with a valid jws-body pre-attached.
     # If we run a simple jws verify on this unchanged, it'll work!
-    tl_signature = "eyJhbGciOiJFUzUxMiIsImtpZCI6IjQ1ZmM3NWNmLTU2ND" +
-      "ktndeZnC04NGIzLTE5MmMyYzc4ZTk5MCIsInRsX3ZlcnNpb24iOiIyIiwidGxfaGV" +
-      "hZGVycyI6IiJ9.UE9TVCAvYmFyCnt9.ARLa7Q5b8k5CIhfy1qrS-IkNqCDeE-VFRD" +
-      "z7Lb0fXUMOi_Ktck-R7BHDMXFDzbI5TyaxIo5TGHZV_cs0fg96dlSxAERp3UaN2oC" +
-      "QHIE5gQ4m5uU3ee69XfwwU_RpEIMFypycxwq1HOf4LzTLXqP_CDT8DdyX8oTwYdUB" +
+    tl_signature = "eyJhbGciOiJFUzUxMiIsImtpZCI6IjQ1ZmM3NWNmLTU2ND" \
+      "ktndeZnC04NGIzLTE5MmMyYzc4ZTk5MCIsInRsX3ZlcnNpb24iOiIyIiwidGxfaGV" \
+      "hZGVycyI6IiJ9.UE9TVCAvYmFyCnt9.ARLa7Q5b8k5CIhfy1qrS-IkNqCDeE-VFRD" \
+      "z7Lb0fXUMOi_Ktck-R7BHDMXFDzbI5TyaxIo5TGHZV_cs0fg96dlSxAERp3UaN2oC" \
+      "QHIE5gQ4m5uU3ee69XfwwU_RpEIMFypycxwq1HOf4LzTLXqP_CDT8DdyX8oTwYdUB" \
       "d2d3D17Wd9UA"
 
     verifier = TrueLayerSigning.verify_with_pem(PUBLIC_KEY)
@@ -101,11 +103,11 @@ class TrueLayerSigningTest < Minitest::Test
   def test_mismatched_signature_with_attached_valid_body_and_trailing_dots_should_fail
     # Signature for `/bar` but with a valid jws-body pre-attached.
     # If we run a simple jws verify on this unchanged, it'll work!
-    tl_signature = "eyJhbGciOiJFUzUxMiIsImtpZCI6IjQ1ZmM3NWNmLTU2ND" +
-      "ktndeZnC04NGIzLTE5MmMyYzc4ZTk5MCIsInRsX3ZlcnNpb24iOiIyIiwidGxfaGV" +
-      "hZGVycyI6IiJ9.UE9TVCAvYmFyCnt9.ARLa7Q5b8k5CIhfy1qrS-IkNqCDeE-VFRD" +
-      "z7Lb0fXUMOi_Ktck-R7BHDMXFDzbI5TyaxIo5TGHZV_cs0fg96dlSxAERp3UaN2oC" +
-      "QHIE5gQ4m5uU3ee69XfwwU_RpEIMFypycxwq1HOf4LzTLXqP_CDT8DdyX8oTwYdUB" +
+    tl_signature = "eyJhbGciOiJFUzUxMiIsImtpZCI6IjQ1ZmM3NWNmLTU2ND" \
+      "ktndeZnC04NGIzLTE5MmMyYzc4ZTk5MCIsInRsX3ZlcnNpb24iOiIyIiwidGxfaGV" \
+      "hZGVycyI6IiJ9.UE9TVCAvYmFyCnt9.ARLa7Q5b8k5CIhfy1qrS-IkNqCDeE-VFRD" \
+      "z7Lb0fXUMOi_Ktck-R7BHDMXFDzbI5TyaxIo5TGHZV_cs0fg96dlSxAERp3UaN2oC" \
+      "QHIE5gQ4m5uU3ee69XfwwU_RpEIMFypycxwq1HOf4LzTLXqP_CDT8DdyX8oTwYdUB" \
       "d2d3D17Wd9UA...."
 
     verifier = TrueLayerSigning.verify_with_pem(PUBLIC_KEY)
@@ -132,7 +134,7 @@ class TrueLayerSigningTest < Minitest::Test
       .verify(tl_signature)
 
     refute(result.first.include?("\nX-Whatever-2: t2345d\n"))
-    assert(result.first.include?("\nIdempotency-Key: " + idempotency_key + "\n"))
+    assert(result.first.include?("\nIdempotency-Key: #{idempotency_key}\n"))
     assert(result.first
       .start_with?("POST /merchant_accounts/a61acaef-ee05-4077-92f3-25543a11bd8d/sweeping\n"))
   end
@@ -482,34 +484,34 @@ class TrueLayerSigningTest < Minitest::Test
     idempotency_key = "idemp-2076717c-9005-4811-a321-9e0787fa0382"
     path = "/merchant_accounts/a61acaef-ee05-4077-92f3-25543a11bd8d/sweeping"
 
-    tl_signature_1 = TrueLayerSigning.sign_with_pem
+    tl_signature_a = TrueLayerSigning.sign_with_pem
       .set_path(path)
       .add_header("Idempotency-Key", idempotency_key)
       .set_body(body)
       .sign
 
-    jws_header_1 = TrueLayerSigning.extract_jws_header(tl_signature_1)
+    jws_header_a = TrueLayerSigning.extract_jws_header(tl_signature_a)
 
-    assert_nil(jws_header_1.jku)
+    assert_nil(jws_header_a.jku)
 
-    tl_signature_2 = TrueLayerSigning.sign_with_pem
+    tl_signature_b = TrueLayerSigning.sign_with_pem
       .set_path(path)
       .add_header("Idempotency-Key", idempotency_key)
       .set_body(body)
       .set_jku("https://webhooks.truelayer.com/.well-known/jwks")
       .sign
 
-    jws_header_2 = TrueLayerSigning.extract_jws_header(tl_signature_2)
+    jws_header_b = TrueLayerSigning.extract_jws_header(tl_signature_b)
 
-    assert_equal("https://webhooks.truelayer.com/.well-known/jwks", jws_header_2.jku)
+    assert_equal("https://webhooks.truelayer.com/.well-known/jwks", jws_header_b.jku)
   end
 
   # TODO: remove if/when we get rid of `lib/truelayer-signing/jwt.rb`
   def test_jwt_encode_and_decode_should_succeed
     payload_object = { currency: "GBP", max_amount_in_minor: 50_000_00 }
-    token_when_object = "eyJhbGciOiJIUzI1NiJ9.eyJjdXJyZW5jeSI6IkdCUCIsIm1heF9hbW" +
+    token_when_object = "eyJhbGciOiJIUzI1NiJ9.eyJjdXJyZW5jeSI6IkdCUCIsIm1heF9hbW" \
       "91bnRfaW5fbWlub3IiOjUwMDAwMDB9.SjbwZCqTl6G7LQNs_M6oQhwl3a9rbqO7p3cVncLtgZY"
-    token_when_json = "eyJhbGciOiJIUzI1NiJ9.IntcImN1cnJlbmN5XCI6XCJHQlBcIixcIm1h" +
+    token_when_json = "eyJhbGciOiJIUzI1NiJ9.IntcImN1cnJlbmN5XCI6XCJHQlBcIixcIm1h" \
       "eF9hbW91bnRfaW5fbWlub3JcIjo1MDAwMDAwfSI.rvCcgu-JevsNxbjUwJiFOuTd0hzVKvPK5RvGmaoDc7E"
 
     # succeeds with a hash object
@@ -530,7 +532,7 @@ class TrueLayerSigningTest < Minitest::Test
   # TODO: remove if/when we get rid of `lib/truelayer-signing/jwt.rb`
   def test_jwt_truelayer_encode_and_decode_when_given_json_should_succeed
     payload_json = { currency: "GBP", max_amount_in_minor: 50_000_00 }.to_json
-    token_when_json = "eyJhbGciOiJIUzI1NiJ9.eyJjdXJyZW5jeSI6IkdCUCIsIm1heF9hbW9" +
+    token_when_json = "eyJhbGciOiJIUzI1NiJ9.eyJjdXJyZW5jeSI6IkdCUCIsIm1heF9hbW9" \
       "1bnRfaW5fbWlub3IiOjUwMDAwMDB9.SjbwZCqTl6G7LQNs_M6oQhwl3a9rbqO7p3cVncLtgZY"
 
     assert_equal(token_when_json, JWT.truelayer_encode(payload_json, "12345", "HS256", {}))
@@ -549,7 +551,7 @@ class TrueLayerSigningTest < Minitest::Test
 
   # TODO: remove if/when we get rid of `lib/truelayer-signing/jwt.rb`
   def test_jwt_truelayer_decode_when_given_a_hash_should_succeed
-    token_when_object = "eyJhbGciOiJIUzI1NiJ9.eyJjdXJyZW5jeSI6IkdCUCIsIm1heF9hbW" +
+    token_when_object = "eyJhbGciOiJIUzI1NiJ9.eyJjdXJyZW5jeSI6IkdCUCIsIm1heF9hbW" \
       "91bnRfaW5fbWlub3IiOjUwMDAwMDB9.SjbwZCqTl6G7LQNs_M6oQhwl3a9rbqO7p3cVncLtgZY"
 
     assert_equal(

data/truelayer-signing.gemspec

@@ -1,8 +1,10 @@
-$LOAD_PATH.unshift(::File.join(::File.dirname(__FILE__), "lib"))
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), "lib"))
 
 Gem::Specification.new do |s|
   s.name = "truelayer-signing"
-  s.version = "0.2.1"
+  s.version = "0.2.3"
   s.summary = "Ruby gem to produce and verify TrueLayer API requests signatures"
   s.description = "TrueLayer provides instant access to open banking to " \
     "easily integrate next-generation payments and financial data into any app." \
@@ -14,12 +16,21 @@ Gem::Specification.new do |s|
 
   s.metadata = {
     "bug_tracker_uri" => "https://github.com/TrueLayer/truelayer-signing/issues",
-    "changelog_uri" => "https://github.com/TrueLayer/truelayer-signing/blob/main/ruby/CHANGELOG.md",
+    "changelog_uri" => "https://github.com/TrueLayer/truelayer-signing/blob/main/ruby/CHANGELOG.md"
   }
 
-  s.files = Dir["./**/*"]
-  s.require_paths = ["lib"]
+  s.files = Dir[
+    "CHANGELOG.md",
+    "Gemfile",
+    "LICENSE*",
+    "README.md",
+    "Rakefile",
+    "lib/**/*.*",
+    "test/**/*.*",
+    "truelayer-signing.gemspec",
+  ]
+  s.require_path = "lib"
 
   s.required_ruby_version = ">= 2.7"
-  s.add_runtime_dependency("jwt",  "~> 2.7")
+  s.add_dependency("jwt", "~> 2.7.0")
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: truelayer-signing
 version: !ruby/object:Gem::Version
-  version: 0.2.1
+  version: 0.2.3
 platform: ruby
 authors:
 - Kevin Plattret
-autorequire:
+autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-07-14 00:00:00.000000000 Z
+date: 2024-07-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.7'
+        version: 2.7.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.7'
+        version: 2.7.0
 description: TrueLayer provides instant access to open banking to easily integrate
   next-generation payments and financial data into any app.This helps easily sign
   TrueLayer API requests using a JSON web signature.
@@ -32,31 +32,25 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
-- "./CHANGELOG.md"
-- "./LICENSE-APACHE"
-- "./LICENSE-MIT"
-- "./README.md"
-- "./Rakefile"
-- "./examples/sign-request/Gemfile"
-- "./examples/sign-request/README.md"
-- "./examples/sign-request/main.rb"
-- "./examples/webhook-server/Gemfile"
-- "./examples/webhook-server/Gemfile.lock"
-- "./examples/webhook-server/README.md"
-- "./examples/webhook-server/main.rb"
-- "./lib/truelayer-signing.rb"
-- "./lib/truelayer-signing/config.rb"
-- "./lib/truelayer-signing/errors.rb"
-- "./lib/truelayer-signing/jwt.rb"
-- "./lib/truelayer-signing/signer.rb"
-- "./lib/truelayer-signing/utils.rb"
-- "./lib/truelayer-signing/verifier.rb"
-- "./test/resources/failed-payment-expired-test-payload.json"
-- "./test/resources/missing-zero-padding-test-jwks.json"
-- "./test/resources/missing-zero-padding-test-payload.json"
-- "./test/resources/missing-zero-padding-test-signature.txt"
-- "./test/test-truelayer-signing.rb"
-- "./truelayer-signing.gemspec"
+- CHANGELOG.md
+- Gemfile
+- LICENSE-APACHE
+- LICENSE-MIT
+- README.md
+- Rakefile
+- lib/truelayer-signing.rb
+- lib/truelayer-signing/config.rb
+- lib/truelayer-signing/errors.rb
+- lib/truelayer-signing/jwt.rb
+- lib/truelayer-signing/signer.rb
+- lib/truelayer-signing/utils.rb
+- lib/truelayer-signing/verifier.rb
+- test/resources/failed-payment-expired-test-payload.json
+- test/resources/missing-zero-padding-test-jwks.json
+- test/resources/missing-zero-padding-test-payload.json
+- test/resources/missing-zero-padding-test-signature.txt
+- test/test-truelayer-signing.rb
+- truelayer-signing.gemspec
 homepage: https://github.com/TrueLayer/truelayer-signing/tree/main/ruby
 licenses:
 - Apache-2.0
@@ -64,7 +58,7 @@ licenses:
 metadata:
   bug_tracker_uri: https://github.com/TrueLayer/truelayer-signing/issues
   changelog_uri: https://github.com/TrueLayer/truelayer-signing/blob/main/ruby/CHANGELOG.md
-post_install_message:
+post_install_message: 
 rdoc_options: []
 require_paths:
 - lib
@@ -79,8 +73,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.13
-signing_key:
+rubygems_version: 3.5.11
+signing_key: 
 specification_version: 4
 summary: Ruby gem to produce and verify TrueLayer API requests signatures
 test_files: []

data/examples/sign-request/Gemfile

@@ -1,4 +0,0 @@
-source "https://rubygems.org"
-
-gem "http"
-gem "truelayer-signing"

data/examples/sign-request/README.md

@@ -1,27 +0,0 @@
-# Ruby request signature example
-
-Sends a signed request to `https://api.truelayer-sandbox.com/test-signature`.
-
-## Run
-
-Set the following environment variables:
-
-* `TRUELAYER_SIGNING_ACCESS_TOKEN` – a valid JWT access token for the `payments` scope (see our
-    [docs](https://docs.truelayer.com/docs/retrieve-a-token-in-your-server)).
-* `TRUELAYER_SIGNING_CERTIFICATE_ID` – the certificate/key UUID associated with your public key
-    uploaded at [console.truelayer.com](https://console.truelayer.com).
-* `TRUELAYER_SIGNING_PRIVATE_KEY` – the private key PEM string that matches the certificate ID of the
-    uploaded public key. Should have the same format as [this example private
-    key](https://github.com/TrueLayer/truelayer-signing/blob/main/test-resources/ec512-private.pem).
-
-Install the required dependencies:
-
-```sh
-$ bundle
-```
-
-Execute the request-signing example script: 
-
-```sh
-$ ruby main.rb
-```

data/examples/sign-request/main.rb

@@ -1,46 +0,0 @@
-require "http"
-require "securerandom"
-require "truelayer-signing"
-
-class TrueLayerSigningExamples
-  # Set required environment variables
-  TRUELAYER_SIGNING_ACCESS_TOKEN = ENV.fetch("TRUELAYER_SIGNING_ACCESS_TOKEN", nil).freeze
-  TRUELAYER_SIGNING_BASE_URL = "https://api.truelayer-sandbox.com".freeze
-
-  raise(StandardError, "TRUELAYER_SIGNING_ACCESS_TOKEN is missing") \
-    if TRUELAYER_SIGNING_ACCESS_TOKEN.nil? || TRUELAYER_SIGNING_ACCESS_TOKEN.empty?
-
-  class << self
-    def test_signature_endpoint
-      url = "#{TRUELAYER_SIGNING_BASE_URL}/test-signature"
-      idempotency_key = SecureRandom.uuid
-
-      # A random body string is enough for this request as the `/test-signature` endpoint does not
-      # require any schema, it simply checks the signature is valid against what's received.
-      body = "body-#{SecureRandom.uuid}"
-
-      # Generate a `Tl-Signature`
-      signature = TrueLayerSigning.sign_with_pem
-        .set_method("POST")
-        .set_path("/test-signature")
-        # Optional: `/test-signature` does not require any headers, but we may sign some anyway.
-        # All signed headers *must* be included unmodified in the request.
-        .add_header("Idempotency-Key", idempotency_key)
-        .add_header("X-Bar-Header", "abc123")
-        .set_body(body)
-        .sign
-
-      response = HTTP.auth("Bearer #{TRUELAYER_SIGNING_ACCESS_TOKEN}")
-        .headers(idempotency_key: idempotency_key)
-        .headers(x_bar_header: "abc123")
-        .headers(tl_signature: signature)
-        .post(url, body: body)
-
-      return puts "✓ Signature is valid" if response.status.success?
-
-      puts JSON.pretty_generate(JSON.parse(response.to_s))
-    end
-  end
-end
-
-TrueLayerSigningExamples.test_signature_endpoint

data/examples/webhook-server/Gemfile

@@ -1,5 +0,0 @@
-source "https://rubygems.org"
-
-gem "http"
-gem "truelayer-signing"
-gem "webrick"

data/examples/webhook-server/Gemfile.lock

@@ -1,42 +0,0 @@
-GEM
-  remote: https://rubygems.org/
-  specs:
-    addressable (2.8.4)
-      public_suffix (>= 2.0.2, < 6.0)
-    domain_name (0.5.20190701)
-      unf (>= 0.0.5, < 1.0.0)
-    ffi (1.15.5)
-    ffi-compiler (1.0.1)
-      ffi (>= 1.0.0)
-      rake
-    http (5.1.1)
-      addressable (~> 2.8)
-      http-cookie (~> 1.0)
-      http-form_data (~> 2.2)
-      llhttp-ffi (~> 0.4.0)
-    http-cookie (1.0.5)
-      domain_name (~> 0.5)
-    http-form_data (2.3.0)
-    jwt (2.7.0)
-    llhttp-ffi (0.4.0)
-      ffi-compiler (~> 1.0)
-      rake (~> 13.0)
-    public_suffix (5.0.1)
-    rake (13.0.6)
-    truelayer-signing (0.2.0)
-      jwt (~> 2.7)
-    unf (0.1.4)
-      unf_ext
-    unf_ext (0.0.8.2)
-    webrick (1.8.1)
-
-PLATFORMS
-  arm64-darwin-21
-
-DEPENDENCIES
-  http
-  truelayer-signing
-  webrick
-
-BUNDLED WITH
-   2.4.13

data/examples/webhook-server/README.md

@@ -1,30 +0,0 @@
-# Ruby webhook server example
-
-An HTTP server that can receive and verify signed TrueLayer webhooks.
-
-## Run
-
-Install the required dependencies:
-
-```sh
-$ bundle
-```
-
-Run the server locally:
-
-```sh
-$ ruby main.rb
-```
-
-Send a valid webhook that was signed for the path `/hook/d7a2c49d-110a-4ed2-a07d-8fdb3ea6424b`:
-
-```sh
-curl -iX POST -H "Content-Type: application/json" \
-    -H "X-Tl-Webhook-Timestamp: 2022-03-11T14:00:33Z" \
-    -H "Tl-Signature: eyJhbGciOiJFUzUxMiIsImtpZCI6IjFmYzBlNTlmLWIzMzUtNDdjYS05OWE5LTczNzQ5NTc1NmE1OCIsInRsX3ZlcnNpb24iOiIyIiwidGxfaGVhZGVycyI6IngtdGwtd2ViaG9vay10aW1lc3RhbXAiLCJqa3UiOiJodHRwczovL3dlYmhvb2tzLnRydWVsYXllci5jb20vLndlbGwta25vd24vandrcyJ9..AE_QsBRhnsMkcRzd42wvY1e2HruUhkOgjuZKktGH_WmbD7rBzoaEHUuF36IxyyvCbLajd3MBExNmzjbrOQsGaspwAI5DcGVMFLKUhB7ZzUlTP9up3eNUrdwWyyfBWDQb-qmEuLnrhFDJvgCXEqlV5OLrt-O7LaRAJ4f9KHsZLQ_j2vPC" \
-    -d "{\"event_type\":\"payout_settled\",\"event_schema_version\":1,\"event_id\":\"8fb9fb4e-bb2b-400b-af64-59e5dde74bad\",\"event_body\":{\"transaction_id\":\"c34c8721-66a9-49f6-a229-284efcf88a02\",\"settled_at\":\"2022-03-11T14:00:32.933000Z\"}}" \
-    http://localhost:4567/hook/d7a2c49d-110a-4ed2-a07d-8fdb3ea6424b
-```
-
-Modifying the `X-Tl-Webhook-Timestamp` header, the body or the path of the request will cause the
-above signature to be invalid.

data/examples/webhook-server/main.rb

@@ -1,95 +0,0 @@
-require "http"
-require "truelayer-signing"
-require "webrick"
-
-class TrueLayerSigningExamples
-  # Note: the webhook path can be whatever is configured for your application.
-  # Here a unique path is used, matching the example signature in the README.
-  WEBHOOK_PATH = "/hook/d7a2c49d-110a-4ed2-a07d-8fdb3ea6424b".freeze
-
-  class << self
-    def run_webhook_server
-      server = WEBrick::HTTPServer.new(Port: 4567)
-
-      puts "Server running at http://localhost:4567"
-
-      server.mount_proc('/') do |req, res|
-        request = parse_request(req)
-        status, body = handle_request.call(request)
-        headers = { "Content-Type" => "text/plain" }
-
-        send_response(res, status, headers, body)
-      rescue => error
-        puts error
-      end
-
-      server.start
-    ensure
-      server.shutdown
-    end
-
-    private def parse_request(request)
-      {
-        method: request.request_method,
-        path: request.path,
-        headers: headers_to_hash(request.header),
-        body: request.body
-      }
-    end
-
-    private def handle_request
-      Proc.new do |request|
-        if request[:method] == "POST" && request[:path] == WEBHOOK_PATH
-          verify_webhook(request[:path], request[:headers], request[:body])
-        else
-          ["403", "Forbidden"]
-        end
-      end
-    end
-
-    private def verify_webhook(path, headers, body)
-      tl_signature = headers["tl-signature"]
-
-      return ["400", "Bad Request – Header `Tl-Signature` missing"] unless tl_signature
-
-      jku = TrueLayerSigning.extract_jws_header(tl_signature).jku
-
-      return ["400", "Bad Request – Signature missing `jku`"] unless jku
-      return ["401", "Unauthorized – Unpermitted `jku`"] \
-        unless jku == "https://webhooks.truelayer.com/.well-known/jwks" ||
-          jku == "https://webhooks.truelayer-sandbox.com/.well-known/jwks"
-
-      jwks = HTTP.get(jku)
-
-      return ["401", "Unauthorized – Unavailable `jwks` resource"] unless jwks.status.success?
-
-      begin
-        TrueLayerSigning.verify_with_jwks(jwks.to_s)
-          .set_method(:post)
-          .set_path(path)
-          .set_headers(headers)
-          .set_body(body)
-          .verify(tl_signature)
-
-        ["202", "Accepted"]
-      rescue TrueLayerSigning::Error => error
-        puts error
-
-        ["401", "Unauthorized"]
-      end
-    end
-
-    private def headers_to_hash(headers)
-      headers.transform_keys { |key| key.to_s.strip.downcase }.transform_values(&:first)
-    end
-
-    private def send_response(response, status, headers, body)
-      response.status = status
-      response.header.merge!(headers)
-      response.body = body
-      response
-    end
-  end
-end
-
-TrueLayerSigningExamples.run_webhook_server