Contents

# frozen_string_literal: true

module DuodealerApp
  module AppProxyVerification
    extend ActiveSupport::Concern

    included do
      skip_before_action :verify_authenticity_token, raise: false
      before_action :verify_proxy_request
    end

    def verify_proxy_request
      return head :forbidden unless query_string_valid?(request.query_string)
    end

    private
      def query_string_valid?(query_string)
        query_hash = Rack::Utils.parse_query(query_string)

        signature = query_hash.delete("signature")
        return false if signature.nil?

        ActiveSupport::SecurityUtils.secure_compare(
          calculated_signature(query_hash),
          signature
        )
      end

      def calculated_signature(query_hash_without_signature)
        sorted_params = query_hash_without_signature.collect { |k, v| "#{k}=#{Array(v).join(',')}" }.sort.join

        OpenSSL::HMAC.hexdigest(
          OpenSSL::Digest.new("sha256"),
          DuodealerApp.configuration.secret,
          sorted_params
        )
      end
  end
end

Version data entries

5 entries across 5 versions & 1 rubygems

Version	Path
duodealer_app-1.0.4	lib/duodealer_app/controller_concerns/app_proxy_verification.rb
duodealer_app-1.0.3	lib/duodealer_app/controller_concerns/app_proxy_verification.rb
duodealer_app-1.0.2	lib/duodealer_app/controller_concerns/app_proxy_verification.rb
duodealer_app-1.0.1	lib/duodealer_app/controller_concerns/app_proxy_verification.rb
duodealer_app-1.0.0	lib/duodealer_app/controller_concerns/app_proxy_verification.rb