Sha256: 42ed72d186fc16a4572f79974a5574758233db13369607a6e033973f27826ef9

Contents?: true

Size: 1.77 KB

Versions: 9

Compression:

Stored size: 1.77 KB

Contents

# frozen_string_literal: true

module Twilio
  module Security
    class RequestValidator
      def initialize(auth_token = nil)
        @auth_token = auth_token || Twilio.auth_token
        raise ArgumentError, 'Auth token is required' if @auth_token.nil?
      end

      def validate(url, params, signature)
        params_hash = params_to_hash(params)
        expected = build_signature_for(url, params_hash)
        secure_compare(expected, signature)
      end

      def build_signature_for(url, params)
        data = url + params.sort.join
        digest = OpenSSL::Digest.new('sha1')
        Base64.encode64(OpenSSL::HMAC.digest(digest, @auth_token, data)).strip
      end

      private

      # Compares two strings in constant time to avoid timing attacks.
      # Borrowed from ActiveSupport::MessageVerifier.
      # https://github.com/rails/rails/blob/master/activesupport/lib/active_support/message_verifier.rb
      def secure_compare(a, b)
        return false unless a.bytesize == b.bytesize

        l = a.unpack("C#{a.bytesize}")

        res = 0
        b.each_byte { |byte| res |= byte ^ l.shift }
        res.zero?
      end

      # `ActionController::Parameters` no longer, as of Rails 5, inherits
      # from `Hash` so the `sort` method, used above in `build_signature_for`
      # is deprecated.
      #
      # `to_unsafe_h` was introduced in Rails 4.2.1, before then it is still
      # possible to sort on an ActionController::Parameters object.
      #
      # We use `to_unsafe_h` as `to_h` returns a hash of the permitted
      # parameters only and we need all the parameters to create the signature.
      def params_to_hash(params)
        if params.respond_to?(:to_unsafe_h)
          params.to_unsafe_h
        else
          params
        end
      end
    end
  end
end

Version data entries

9 entries across 9 versions & 1 rubygems

Version Path
twilio-ruby-5.10.7 lib/twilio-ruby/security/request_validator.rb
twilio-ruby-5.10.6 lib/twilio-ruby/security/request_validator.rb
twilio-ruby-5.10.5 lib/twilio-ruby/security/request_validator.rb
twilio-ruby-5.10.4 lib/twilio-ruby/security/request_validator.rb
twilio-ruby-5.10.3 lib/twilio-ruby/security/request_validator.rb
twilio-ruby-5.10.2 lib/twilio-ruby/security/request_validator.rb
twilio-ruby-5.10.1 lib/twilio-ruby/security/request_validator.rb
twilio-ruby-5.10.0 lib/twilio-ruby/security/request_validator.rb
twilio-ruby-5.9.0 lib/twilio-ruby/security/request_validator.rb