class SK::SDK::SignedRequest

Decode and validate signed requests which Salesking sends to canvas pages and PubSub subscribers

Attributes

app_secret[R]
data[R]
payload[R]
sign[R]
signed_request[R]

Public Class Methods

base64_url_encode(str) click to toggle source

Base64 url encode a string:

NO padding '=' is stripped

+ is replaced by - / is replaced by _

@param [String] str the string to encode @return [String] base64url-encoded

# File lib/sk_sdk/signed_request.rb, line 63
def self.base64_url_encode(str)
  [str].pack('m').tr('+/','-_').gsub("\n",'').gsub(/=+$/, '' )
end
new(signed_request, app_secret) click to toggle source
# File lib/sk_sdk/signed_request.rb, line 12
def initialize(signed_request, app_secret)
  @signed_request = signed_request
  @app_secret = app_secret
  decode_payload
end
signed_param(str, secret) click to toggle source

Base64 url encode a string and sign it using the given secret. The hmac signature and the encoded string are joined by . and returned

@param [String] str the string to encode @param [String] secret used to create the signature @return [String] hmac-sign.encoded-string

# File lib/sk_sdk/signed_request.rb, line 47
def self.signed_param(str, secret)
  # base65 url encode the json, remove trailing-padding =
  enc_str = base64_url_encode(str)
  # create hmac signature
  hmac_sig = OpenSSL::HMAC.hexdigest('sha256',secret, enc_str)
  # glue together and return
  [hmac_sig, enc_str].join('.')
end

Public Instance Methods

base64_url_decode(str) click to toggle source

Decode a base64URL encoded string: replace - with + and _ with / Also add padding so ruby's Base64 can decode it @return [String] the plain string decoded

# File lib/sk_sdk/signed_request.rb, line 28
def base64_url_decode(str)
  encoded_str = str.tr('-_', '+/')
  encoded_str += '=' while !(encoded_str.size % 4).zero?
  Base64.decode64(encoded_str)
end
decode_payload() click to toggle source

Populate @data and @sign(ature) by splitting and decoding the incoming signed_request

# File lib/sk_sdk/signed_request.rb, line 20
def decode_payload
  @sign, @payload = @signed_request.split('.')
  @data = ActiveSupport::JSON.decode base64_url_decode(@payload)
end
valid?() click to toggle source

A request is valid if the new hmac created from the incoming string matches the new one, created with the apps secret

# File lib/sk_sdk/signed_request.rb, line 36
def valid?
  return false if @data['algorithm'].to_s.upcase != 'HMAC-SHA256'
  @sign == OpenSSL::HMAC.hexdigest('sha256', @app_secret, @payload)
end