twilio-ruby-authenticate-webhooks 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: dc8744d924736377123f5b2b66e9366b5711721cd57a272128864e068e3df20f
+  data.tar.gz: 62c63f5230c6de87cf41c535fd8dfa6f208ce03ad6e68fc8e011b5966f175d65
+SHA512:
+  metadata.gz: 5e8238b7e4f003580db44a1a644c05182487de4a3df691fc79e94fdd5c54508e65735275b364d5e3bbbf6f6e85cce5ad258ab300c83b676da5eb24fe0ce339d7
+  data.tar.gz: 92d509308e9b55f714ff81b5233e879b955c1106b458a79783d8b984ae3c46267ef5b435a132f722003aa1ebfb9cfaa54738b50617d494aab9c5d666d84eddaf

data/.gitignore

@@ -0,0 +1,8 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/Gemfile

@@ -0,0 +1,4 @@
+source "https://rubygems.org"
+
+# Specify your gem's dependencies in twilio-ruby-authenticate-webhooks.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2019 Erik Griffin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,37 @@
+# TwilioRubyAuthenticateWebhooks
+
+This Gem aims to provide functionality solely to authenticate Twilio Webhook requests in Rails and Rack applications.  This was created in response to the large memory usage of the [twilio-ruby gem](https://github.com/twilio/twilio-ruby), as referenced in [#396](https://github.com/twilio/twilio-ruby/issues/396).
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'twilio-ruby-authenticate-webhooks'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install twilio-ruby-authenticate-webhooks
+
+## Usage
+
+https://www.twilio.com/docs/usage/tutorials/how-to-secure-your-sinatra-app-by-validating-incoming-twilio-requests
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/pathrise-eng/twilio-ruby-authenticate-webhooks.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+task :default => :spec

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "twilio/ruby/authenticate/webhooks"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/rack/twilio_webhook_authentication.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module Rack
+  # Middleware that authenticates webhooks from Twilio using the request
+  # validator.
+  #
+  # The middleware takes an auth token with which to set up the request
+  # validator and any number of paths. When a path matches the incoming request
+  # path, the request will be checked for authentication.
+  #
+  # Example:
+  #
+  # require 'rack'
+  # use Rack::TwilioWebhookAuthentication, ENV['AUTH_TOKEN'], /\/messages/
+  #
+  # The above appends this middleware to the stack, using an auth token saved in
+  # the ENV and only against paths that match /\/messages/. If the request
+  # validates then it gets passed on to the action as normal. If the request
+  # doesn't validate then the middleware responds immediately with a 403 status.
+
+  class TwilioWebhookAuthentication
+    def initialize(app, auth_token, *paths, &auth_token_lookup)
+      @app = app
+      @auth_token = auth_token
+      define_singleton_method(:get_auth_token, auth_token_lookup) if block_given?
+      @path_regex = Regexp.union(paths)
+    end
+
+    def call(env)
+      return @app.call(env) unless env['PATH_INFO'].match(@path_regex)
+      request = Rack::Request.new(env)
+      original_url = request.url
+      params = request.post? ? request.POST : {}
+      auth_token = @auth_token || get_auth_token(params['AccountSid'])
+      validator = Twilio::Security::RequestValidator.new(auth_token)
+      signature = env['HTTP_X_TWILIO_SIGNATURE'] || ''
+      if validator.validate(original_url, params, signature)
+        @app.call(env)
+      else
+        [
+          403,
+          { 'Content-Type' => 'text/plain' },
+          ['Twilio Request Validation Failed.']
+        ]
+      end
+    end
+  end
+end

data/lib/twilio-ruby-authenticate-webhooks.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require "version"
+require "rack/twilio_webhook_authentication"
+require "twilio-ruby/security/request_validator"

data/lib/twilio-ruby/security/request_validator.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+module Twilio
+  module Security
+    class RequestValidator
+      ##
+      # Initialize a Request Validator. auth_token will either be grabbed from the global Twilio object or you can
+      # pass it in here.
+      #
+      # @param [String] auth_token Your account auth token, used to sign requests
+      def initialize(auth_token = nil)
+        @auth_token = auth_token || Twilio.auth_token
+        raise ArgumentError, 'Auth token is required' if @auth_token.nil?
+      end
+
+      ##
+      # Validates that after hashing a request with Twilio's request-signing algorithm
+      # (https://www.twilio.com/docs/usage/security#validating-requests), the hash matches the signature parameter
+      #
+      # @param [String] url The url sent to your server, including any query parameters
+      # @param [String, Hash, #to_unsafe_h] params In most cases, this is the POST parameters as a hash. If you received
+      #   a bodySHA256 parameter in the query string, this parameter can instead be the POST body as a string to
+      #   validate JSON or other text-based payloads that aren't x-www-form-urlencoded.
+      # @param [String] signature The expected signature, from the X-Twilio-Signature header of the request
+      #
+      # @return [Boolean] whether or not the computed signature matches the signature parameter
+      def validate(url, params, signature)
+        params_hash = body_or_hash(params)
+        if params_hash.is_a? Enumerable
+          expected = build_signature_for(url, params_hash)
+          secure_compare(expected, signature)
+        else
+          expected_signature = build_signature_for(url, {})
+          body_hash = URI.decode_www_form(URI(url).query).to_h['bodySHA256']
+          expected_hash = build_hash_for(params)
+          secure_compare(expected_signature, signature) && secure_compare(expected_hash, body_hash)
+        end
+      end
+
+      ##
+      # Build a SHA256 hash for a body string
+      #
+      # @param [String] body String to hash
+      #
+      # @return [String] A hex-encoded SHA256 of the body string
+      def build_hash_for(body)
+        hasher = OpenSSL::Digest.new('sha256')
+        hasher.hexdigest(body)
+      end
+
+      ##
+      # Build a SHA1-HMAC signature for a url and parameter hash
+      #
+      # @param [String] url The request url, including any query parameters
+      # @param [#join] params The POST parameters
+      #
+      # @return [String] A base64 encoded SHA1-HMAC
+      def build_signature_for(url, params)
+        data = url + params.sort.join
+        digest = OpenSSL::Digest.new('sha1')
+        Base64.strict_encode64(OpenSSL::HMAC.digest(digest, @auth_token, data))
+      end
+
+      private
+
+      # Compares two strings in constant time to avoid timing attacks.
+      # Borrowed from ActiveSupport::MessageVerifier.
+      # https://github.com/rails/rails/blob/master/activesupport/lib/active_support/message_verifier.rb
+      def secure_compare(a, b)
+        return false unless a.bytesize == b.bytesize
+
+        l = a.unpack("C#{a.bytesize}")
+
+        res = 0
+        b.each_byte { |byte| res |= byte ^ l.shift }
+        res.zero?
+      end
+
+      # `ActionController::Parameters` no longer, as of Rails 5, inherits
+      # from `Hash` so the `sort` method, used above in `build_signature_for`
+      # is deprecated.
+      #
+      # `to_unsafe_h` was introduced in Rails 4.2.1, before then it is still
+      # possible to sort on an ActionController::Parameters object.
+      #
+      # We use `to_unsafe_h` as `to_h` returns a hash of the permitted
+      # parameters only and we need all the parameters to create the signature.
+      def body_or_hash(params_or_body)
+        if params_or_body.respond_to?(:to_unsafe_h)
+          params_or_body.to_unsafe_h
+        else
+          params_or_body
+        end
+      end
+    end
+  end
+end

data/lib/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module TwilioRubyAuthenticateWebhooks
+  VERSION = "0.1.1"
+end

data/twilio-ruby-authenticate-webhooks.gemspec

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+lib = File.expand_path("lib", __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "twilio-ruby-authenticate-webhooks"
+  spec.version       = TwilioRubyAuthenticateWebhooks::VERSION
+  spec.authors       = ["Erik Griffin"]
+  spec.email         = ["erik@pathrise.com"]
+
+  spec.summary       = "Authenticate Twilio Webhook Requests"
+  spec.description   = "Uses Rack Middleware to authenticate Twilio Webhook requests in your app."
+  spec.homepage      = "https://github.com/pathrise-eng/twilio-ruby-authenticate-webhooks"
+  spec.license       = "MIT"
+
+  spec.metadata["homepage_uri"] = spec.homepage
+  spec.metadata["source_code_uri"] = "https://github.com/pathrise-eng/twilio-ruby-authenticate-webhooks"
+
+  # Specify which files should be added to the gem when it is released.
+  # The `git ls-files -z` loads the files in the RubyGem that have been added into git.
+  spec.files = Dir.chdir(File.expand_path(__dir__)) do
+    `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  end
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 2.0"
+  spec.add_development_dependency "rake", "~> 10.0"
+end

metadata

@@ -0,0 +1,86 @@
+--- !ruby/object:Gem::Specification
+name: twilio-ruby-authenticate-webhooks
+version: !ruby/object:Gem::Version
+  version: 0.1.1
+platform: ruby
+authors:
+- Erik Griffin
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2019-10-25 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: Uses Rack Middleware to authenticate Twilio Webhook requests in your
+  app.
+email:
+- erik@pathrise.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- lib/rack/twilio_webhook_authentication.rb
+- lib/twilio-ruby-authenticate-webhooks.rb
+- lib/twilio-ruby/security/request_validator.rb
+- lib/version.rb
+- twilio-ruby-authenticate-webhooks.gemspec
+homepage: https://github.com/pathrise-eng/twilio-ruby-authenticate-webhooks
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/pathrise-eng/twilio-ruby-authenticate-webhooks
+  source_code_uri: https://github.com/pathrise-eng/twilio-ruby-authenticate-webhooks
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.0.3
+signing_key: 
+specification_version: 4
+summary: Authenticate Twilio Webhook Requests
+test_files: []