mirror of
https://github.com/stripe/stripe-ruby.git
synced 2025-06-04 00:01:12 -04:00
e117c9fb6d
Exposes the `.compute_signature` method, which may be useful when
testing webhook signing in test suites.
I change the API slightly so that a caller isn't forced to do as much
string mangling, and to match the one that we already have in stripe-go:
``` go
func ComputeSignature(t time.Time, payload []byte, secret string) []byte {
```
Add basic documentation and test case. I also change a few things around
so that we send `Time` objects around more often where applicable, and
don't change then to Unix integers until the last moment that we need
to.
The one other alternative API I considered is this one, which would
default the timestamp to the current time to allow the method to be
called with one fewer arg:
``` ruby
def self.compute_signature(payload, secret: timestamp: Time.now)
```
I decided against it in the end though because it does remove some
explicitness, and it's not a big deal to just pass in `Time.now`,
especially given that this is not expected to be a commonly used method.
Fixes #912.
105 lines
4.1 KiB
Ruby
105 lines
4.1 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
module Stripe
|
|
module Webhook
|
|
DEFAULT_TOLERANCE = 300
|
|
|
|
# Initializes an Event object from a JSON payload.
|
|
#
|
|
# This may raise JSON::ParserError if the payload is not valid JSON, or
|
|
# SignatureVerificationError if the signature verification fails.
|
|
def self.construct_event(payload, sig_header, secret,
|
|
tolerance: DEFAULT_TOLERANCE)
|
|
Signature.verify_header(payload, sig_header, secret, tolerance: tolerance)
|
|
|
|
# It's a good idea to parse the payload only after verifying it. We use
|
|
# `symbolize_names` so it would otherwise be technically possible to
|
|
# flood a target's memory if they were on an older version of Ruby that
|
|
# doesn't GC symbols. It also decreases the likelihood that we receive a
|
|
# bad payload that fails to parse and throws an exception.
|
|
data = JSON.parse(payload, symbolize_names: true)
|
|
Event.construct_from(data)
|
|
end
|
|
|
|
module Signature
|
|
EXPECTED_SCHEME = "v1"
|
|
|
|
# Computes a webhook signature given a time (probably the current time),
|
|
# a payload, and a signing secret.
|
|
def self.compute_signature(timestamp, payload, secret)
|
|
raise ArgumentError, "timestamp should be an instance of Time" \
|
|
unless timestamp.is_a?(Time)
|
|
raise ArgumentError, "payload should be a string" \
|
|
unless payload.is_a?(String)
|
|
raise ArgumentError, "secret should be a string" \
|
|
unless secret.is_a?(String)
|
|
|
|
timestamped_payload = "#{timestamp.to_i}.#{payload}"
|
|
OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new("sha256"), secret,
|
|
timestamped_payload)
|
|
end
|
|
|
|
# Extracts the timestamp and the signature(s) with the desired scheme
|
|
# from the header
|
|
def self.get_timestamp_and_signatures(header, scheme)
|
|
list_items = header.split(/,\s*/).map { |i| i.split("=", 2) }
|
|
timestamp = Integer(list_items.select { |i| i[0] == "t" }[0][1])
|
|
signatures = list_items.select { |i| i[0] == scheme }.map { |i| i[1] }
|
|
[Time.at(timestamp), signatures]
|
|
end
|
|
private_class_method :get_timestamp_and_signatures
|
|
|
|
# Verifies the signature header for a given payload.
|
|
#
|
|
# Raises a SignatureVerificationError in the following cases:
|
|
# - the header does not match the expected format
|
|
# - no signatures found with the expected scheme
|
|
# - no signatures matching the expected signature
|
|
# - a tolerance is provided and the timestamp is not within the
|
|
# tolerance
|
|
#
|
|
# Returns true otherwise
|
|
def self.verify_header(payload, header, secret, tolerance: nil)
|
|
begin
|
|
timestamp, signatures =
|
|
get_timestamp_and_signatures(header, EXPECTED_SCHEME)
|
|
|
|
# TODO: Try to knock over this blanket rescue as it can unintentionally
|
|
# swallow many valid errors. Instead, try to validate an incoming
|
|
# header one piece at a time, and error with a known exception class if
|
|
# any part is found to be invalid. Rescue that class here.
|
|
rescue StandardError
|
|
raise SignatureVerificationError.new(
|
|
"Unable to extract timestamp and signatures from header",
|
|
header, http_body: payload
|
|
)
|
|
end
|
|
|
|
if signatures.empty?
|
|
raise SignatureVerificationError.new(
|
|
"No signatures found with expected scheme #{EXPECTED_SCHEME}",
|
|
header, http_body: payload
|
|
)
|
|
end
|
|
|
|
expected_sig = compute_signature(timestamp, payload, secret)
|
|
unless signatures.any? { |s| Util.secure_compare(expected_sig, s) }
|
|
raise SignatureVerificationError.new(
|
|
"No signatures found matching the expected signature for payload",
|
|
header, http_body: payload
|
|
)
|
|
end
|
|
|
|
if tolerance && timestamp < Time.now - tolerance
|
|
raise SignatureVerificationError.new(
|
|
"Timestamp outside the tolerance zone (#{Time.at(timestamp)})",
|
|
header, http_body: payload
|
|
)
|
|
end
|
|
|
|
true
|
|
end
|
|
end
|
|
end
|
|
end
|