class Twilio::Security::RequestValidator

Public Class Methods

new(auth_token = nil) click to toggle source

Initialize a Request Validator. auth_token will either be grabbed from the global Twilio object or you can pass it in here.

@param [String] auth_token Your account auth token, used to sign requests

# File lib/twilio-ruby/security/request_validator.rb, line 11
def initialize(auth_token = nil)
  @auth_token = auth_token || Twilio.auth_token
  raise ArgumentError, 'Auth token is required' if @auth_token.nil?
end

Public Instance Methods

build_hash_for(body) click to toggle source

Build a SHA256 hash for a body string

@param [String] body String to hash

@return [String] A hex-encoded SHA256 of the body string

# File lib/twilio-ruby/security/request_validator.rb, line 55
def build_hash_for(body)
  hasher = OpenSSL::Digest.new('sha256')
  hasher.hexdigest(body)
end
build_signature_for(url, params) click to toggle source

Build a SHA1-HMAC signature for a url and parameter hash

@param [String] url The request url, including any query parameters @param [#join] params The POST parameters

@return [String] A base64 encoded SHA1-HMAC

# File lib/twilio-ruby/security/request_validator.rb, line 67
def build_signature_for(url, params)
  data = url + params.sort.join
  digest = OpenSSL::Digest.new('sha1')
  Base64.strict_encode64(OpenSSL::HMAC.digest(digest, @auth_token, data))
end
validate(url, params, signature) click to toggle source

Validates that after hashing a request with Twilio's request-signing algorithm (www.twilio.com/docs/usage/security#validating-requests), the hash matches the signature parameter

@param [String] url The url sent to your server, including any query parameters @param [String, Hash, to_unsafe_h] params In most cases, this is the POST parameters as a hash. If you received

a bodySHA256 parameter in the query string, this parameter can instead be the POST body as a string to
validate JSON or other text-based payloads that aren't x-www-form-urlencoded.

@param [String] signature The expected signature, from the X-Twilio-Signature header of the request

@return [Boolean] whether or not the computed signature matches the signature parameter

# File lib/twilio-ruby/security/request_validator.rb, line 27
def validate(url, params, signature)
  parsed_url = URI(url)
  url_with_port = add_port(parsed_url)
  url_without_port = remove_port(parsed_url)

  valid_body = true # default succeed, since body not always provided
  params_hash = body_or_hash(params)
  unless params_hash.is_a? Enumerable
    body_hash = URI.decode_www_form(parsed_url.query).to_h['bodySHA256']
    params_hash = build_hash_for(params)
    valid_body = !(params_hash.nil? || body_hash.nil?) && secure_compare(params_hash, body_hash)
    params_hash = {}
  end

  # Check signature of the url with and without port numbers
  # since signature generation on the back end is inconsistent
  valid_signature_with_port = secure_compare(build_signature_for(url_with_port, params_hash), signature)
  valid_signature_without_port = secure_compare(build_signature_for(url_without_port, params_hash), signature)

  valid_body && (valid_signature_with_port || valid_signature_without_port)
end

Private Instance Methods

add_port(parsed_url) click to toggle source

Adds the standard port to the url if it doesn't already have one

@param [URI] parsed_url The parsed request url

@return [String] The URL with a port number

# File lib/twilio-ruby/security/request_validator.rb, line 111
def add_port(parsed_url)
  if parsed_url.port.nil? || parsed_url.port == parsed_url.default_port
    build_url_with_port_for(parsed_url)
  else
    parsed_url.to_s
  end
end
body_or_hash(params_or_body) click to toggle source

`ActionController::Parameters` no longer, as of Rails 5, inherits from `Hash` so the `sort` method, used above in `build_signature_for` is deprecated.

`to_unsafe_h` was introduced in Rails 4.2.1, before then it is still possible to sort on an ActionController::Parameters object.

We use `to_unsafe_h` as `to_h` returns a hash of the permitted parameters only and we need all the parameters to create the signature.

# File lib/twilio-ruby/security/request_validator.rb, line 97
def body_or_hash(params_or_body)
  if params_or_body.respond_to?(:to_unsafe_h)
    params_or_body.to_unsafe_h
  else
    params_or_body
  end
end
build_url_with_port_for(parsed_url) click to toggle source

Builds the url from its component pieces, with the standard port

@param [URI] parsed_url The parsed request url

@return [String] The URL with the standard port number

# File lib/twilio-ruby/security/request_validator.rb, line 136
def build_url_with_port_for(parsed_url)
  url = ''

  url += parsed_url.scheme ? "#{parsed_url.scheme}://" : ''
  url += parsed_url.userinfo ? "#{parsed_url.userinfo}@" : ''
  url += parsed_url.host ? "#{parsed_url.host}:#{parsed_url.port}" : ''
  url += parsed_url.path
  url += parsed_url.query ? "?#{parsed_url.query}" : ''
  url += parsed_url.fragment ? "##{parsed_url.fragment}" : ''

  url
end
remove_port(parsed_url) click to toggle source

Removes the port from the url

@param [URI] parsed_url The parsed request url

@return [String] The URL without a port number

# File lib/twilio-ruby/security/request_validator.rb, line 125
def remove_port(parsed_url)
  parsed_url.port = nil
  parsed_url.to_s
end
secure_compare(a, b) click to toggle source

Compares two strings in constant time to avoid timing attacks. Borrowed from ActiveSupport::MessageVerifier. github.com/rails/rails/blob/master/activesupport/lib/active_support/message_verifier.rb

# File lib/twilio-ruby/security/request_validator.rb, line 78
def secure_compare(a, b)
  return false unless a.bytesize == b.bytesize

  l = a.unpack("C#{a.bytesize}")

  res = 0
  b.each_byte { |byte| res |= byte ^ l.shift }
  res.zero?
end