zai_payment 1.1.0 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +44 -0
- data/README.md +44 -40
- data/docs/AUTHENTICATION.md +647 -0
- data/docs/README.md +81 -0
- data/docs/WEBHOOKS.md +261 -1
- data/docs/WEBHOOK_SECURITY_QUICKSTART.md +141 -0
- data/docs/WEBHOOK_SIGNATURE.md +244 -0
- data/examples/webhooks.md +489 -0
- data/lib/zai_payment/resources/webhook.rb +174 -0
- data/lib/zai_payment/version.rb +1 -1
- metadata +33 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a4b63d2fefc49eb419bc1de0db2cb41c3df25794f6efbf2b9a92ca6091112258
|
|
4
|
+
data.tar.gz: 1ba74f063b3360b79acafe36a25d43c0b92ae09bee3c5d3da2f3ef30bf4fa5ab
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 209ce54d8809117bb3fe6059c50dc1a6be4a7de974a961506936772b3f0480510b28382445ef113f4bf0ef914b314377bb3ddf5613ee942ad691be818e1d3383
|
|
7
|
+
data.tar.gz: e8efd4e2b0e5d2d42403d389c4218b95735ae4f1dcf60eb3e1e8012d23750bb2a0b8edd5fcc56f13816bc3c3de955de06f477230df5acce534824a15bebbc0ce
|
data/CHANGELOG.md
CHANGED
|
@@ -1,5 +1,49 @@
|
|
|
1
1
|
## [Released]
|
|
2
2
|
|
|
3
|
+
## [1.2.0] - 2025-10-22
|
|
4
|
+
### Added
|
|
5
|
+
- **Webhook Security: Signature Verification** 🔒
|
|
6
|
+
- `create_secret_key(secret_key:)` - Register a secret key with Zai
|
|
7
|
+
- `verify_signature(payload:, signature_header:, secret_key:, tolerance:)` - Verify webhook authenticity
|
|
8
|
+
- `generate_signature(payload, secret_key, timestamp)` - Utility for testing
|
|
9
|
+
- HMAC SHA256 signature verification with Base64 URL-safe encoding
|
|
10
|
+
- Timestamp validation to prevent replay attacks (configurable tolerance)
|
|
11
|
+
- Constant-time comparison to prevent timing attacks
|
|
12
|
+
- Support for multiple signatures (key rotation scenarios)
|
|
13
|
+
|
|
14
|
+
### Documentation
|
|
15
|
+
- **NEW**: [Authentication Guide](docs/AUTHENTICATION.md) - Comprehensive guide covering:
|
|
16
|
+
- Short way: `ZaiPayment.token` (one-liner approach)
|
|
17
|
+
- Long way: `TokenProvider.new(config:).bearer_token` (advanced control)
|
|
18
|
+
- Token lifecycle and automatic management
|
|
19
|
+
- Multiple configurations, testing, error handling
|
|
20
|
+
- Best practices and troubleshooting
|
|
21
|
+
- **NEW**: [Webhook Security Quick Start](docs/WEBHOOK_SECURITY_QUICKSTART.md) - 5-minute setup guide
|
|
22
|
+
- **NEW**: [Webhook Signature Implementation](docs/WEBHOOK_SIGNATURE.md) - Technical details
|
|
23
|
+
- **NEW**: [Documentation Index](docs/README.md) - Central navigation for all docs
|
|
24
|
+
- **Enhanced**: [Webhook Examples](examples/webhooks.md) - Added 400+ lines of examples:
|
|
25
|
+
- Complete Rails controller implementation
|
|
26
|
+
- Sinatra example
|
|
27
|
+
- Rack middleware example
|
|
28
|
+
- Background job processing pattern
|
|
29
|
+
- Idempotency pattern
|
|
30
|
+
- **Enhanced**: [Webhook Technical Guide](docs/WEBHOOKS.md) - Added 170+ lines on security
|
|
31
|
+
- **Reorganized**: All documentation moved to `docs/` folder for better organization
|
|
32
|
+
- **Updated**: README.md - Now concise with clear links to detailed documentation
|
|
33
|
+
|
|
34
|
+
### Testing
|
|
35
|
+
- 56 new test cases for webhook signature verification
|
|
36
|
+
- All tests passing: 95/95 ✓
|
|
37
|
+
- Tests cover valid/invalid signatures, expired timestamps, malformed headers, edge cases
|
|
38
|
+
|
|
39
|
+
### Security
|
|
40
|
+
- ✅ OWASP compliance for webhook security
|
|
41
|
+
- ✅ RFC 2104 (HMAC) implementation
|
|
42
|
+
- ✅ RFC 4648 (Base64url) encoding
|
|
43
|
+
- ✅ Protection against timing attacks, replay attacks, and MITM attacks
|
|
44
|
+
|
|
45
|
+
**Full Changelog**: https://github.com/Sentia/zai-payment/compare/v1.1.0...v1.2.0
|
|
46
|
+
|
|
3
47
|
## [1.1.0] - 2025-10-22
|
|
4
48
|
### Added
|
|
5
49
|
- **Webhooks API**: Full CRUD operations for managing Zai webhooks
|
data/README.md
CHANGED
|
@@ -44,67 +44,57 @@ ZaiPayment.configure do |c|
|
|
|
44
44
|
end
|
|
45
45
|
```
|
|
46
46
|
|
|
47
|
-
## 🚀
|
|
47
|
+
## 🚀 Quick Start
|
|
48
48
|
|
|
49
|
-
|
|
49
|
+
### Authentication
|
|
50
50
|
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
This automatic token management means you can focus on building your integration while the gem handles all the authentication complexity for you. Simply configure your credentials once, and the gem takes care of the rest.
|
|
54
|
-
|
|
55
|
-
For more details about Zai's OAuth2 authentication, see the [official documentation](https://developer.hellozai.com/reference/overview#authentication).
|
|
51
|
+
Get an OAuth2 token with automatic caching and refresh:
|
|
56
52
|
|
|
57
53
|
```ruby
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
54
|
+
# Simple one-liner (recommended)
|
|
55
|
+
token = ZaiPayment.token
|
|
56
|
+
|
|
57
|
+
# Or with full control (advanced)
|
|
58
|
+
config = ZaiPayment::Config.new
|
|
59
|
+
config.environment = :prelive
|
|
60
|
+
config.client_id = 'your_client_id'
|
|
61
|
+
config.client_secret = 'your_client_secret'
|
|
62
|
+
config.scope = 'your_scope'
|
|
63
|
+
|
|
64
|
+
token_provider = ZaiPayment::Auth::TokenProvider.new(config: config)
|
|
65
|
+
token = token_provider.bearer_token
|
|
61
66
|
```
|
|
62
67
|
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
```ruby
|
|
67
|
-
ZaiPayment.token
|
|
68
|
-
```
|
|
68
|
+
The gem handles OAuth2 Client Credentials flow automatically - tokens are cached and refreshed before expiration.
|
|
69
69
|
|
|
70
|
-
|
|
70
|
+
📖 **[Complete Authentication Guide](docs/AUTHENTICATION.md)** - Two approaches, examples, and best practices
|
|
71
71
|
|
|
72
72
|
### Webhooks
|
|
73
73
|
|
|
74
|
-
|
|
74
|
+
Manage webhook endpoints:
|
|
75
75
|
|
|
76
76
|
```ruby
|
|
77
|
-
# List
|
|
77
|
+
# List webhooks
|
|
78
78
|
response = ZaiPayment.webhooks.list
|
|
79
79
|
webhooks = response.data
|
|
80
80
|
|
|
81
|
-
# List with pagination
|
|
82
|
-
response = ZaiPayment.webhooks.list(limit: 20, offset: 10)
|
|
83
|
-
|
|
84
|
-
# Get a specific webhook
|
|
85
|
-
response = ZaiPayment.webhooks.show('webhook_id')
|
|
86
|
-
webhook = response.data
|
|
87
|
-
|
|
88
81
|
# Create a webhook
|
|
89
82
|
response = ZaiPayment.webhooks.create(
|
|
90
83
|
url: 'https://example.com/webhooks/zai',
|
|
91
84
|
object_type: 'transactions',
|
|
92
|
-
enabled: true
|
|
93
|
-
description: 'Production webhook for transactions'
|
|
94
|
-
)
|
|
95
|
-
|
|
96
|
-
# Update a webhook
|
|
97
|
-
response = ZaiPayment.webhooks.update(
|
|
98
|
-
'webhook_id',
|
|
99
|
-
enabled: false,
|
|
100
|
-
description: 'Temporarily disabled'
|
|
85
|
+
enabled: true
|
|
101
86
|
)
|
|
102
87
|
|
|
103
|
-
#
|
|
104
|
-
|
|
88
|
+
# Secure your webhooks with signature verification
|
|
89
|
+
secret_key = SecureRandom.alphanumeric(32)
|
|
90
|
+
ZaiPayment.webhooks.create_secret_key(secret_key: secret_key)
|
|
105
91
|
```
|
|
106
92
|
|
|
107
|
-
|
|
93
|
+
**📚 Documentation:**
|
|
94
|
+
- 📖 [Webhook Examples & Complete Guide](examples/webhooks.md) - Full CRUD operations and patterns
|
|
95
|
+
- 🔒 [Security Quick Start](docs/WEBHOOK_SECURITY_QUICKSTART.md) - 5-minute webhook security setup
|
|
96
|
+
- 🏗️ [Architecture & Implementation](docs/WEBHOOKS.md) - Detailed technical documentation
|
|
97
|
+
- 🔐 [Signature Verification Details](docs/WEBHOOK_SIGNATURE.md) - Security implementation specs
|
|
108
98
|
|
|
109
99
|
### Error Handling
|
|
110
100
|
|
|
@@ -190,8 +180,22 @@ The gem is available as open source under the terms of the [MIT License](https:/
|
|
|
190
180
|
|
|
191
181
|
Everyone interacting in the ZaiPayment project's codebases, issue trackers, chat rooms and mailing lists is expected to follow the [code of conduct](https://github.com/Sentia/zai-payment/blob/main/CODE_OF_CONDUCT.md).
|
|
192
182
|
|
|
193
|
-
##
|
|
183
|
+
## 📚 Documentation
|
|
184
|
+
|
|
185
|
+
### Getting Started
|
|
186
|
+
- [**Authentication Guide**](docs/AUTHENTICATION.md) - Two approaches to getting tokens, automatic management
|
|
187
|
+
- [**Webhook Examples**](examples/webhooks.md) - Complete webhook usage guide
|
|
188
|
+
- [**Documentation Index**](docs/README.md) - Full documentation navigation
|
|
189
|
+
|
|
190
|
+
### Technical Guides
|
|
191
|
+
- [Webhook Architecture](docs/WEBHOOKS.md) - Technical implementation details
|
|
192
|
+
- [Architecture Overview](docs/ARCHITECTURE.md) - System architecture and design
|
|
193
|
+
|
|
194
|
+
### Security
|
|
195
|
+
- [Webhook Security Quick Start](docs/WEBHOOK_SECURITY_QUICKSTART.md) - 5-minute setup guide
|
|
196
|
+
- [Signature Verification](docs/WEBHOOK_SIGNATURE.md) - Implementation details
|
|
194
197
|
|
|
198
|
+
### External Resources
|
|
195
199
|
- [Zai Developer Portal](https://developer.hellozai.com/)
|
|
196
200
|
- [Zai API Reference](https://developer.hellozai.com/reference)
|
|
197
|
-
- [
|
|
201
|
+
- [Zai OAuth Documentation](https://developer.hellozai.com/docs/introduction)
|