Contents

# frozen_string_literal: true

require 'base64'

module SolidusBolt
  class BaseController < ::Spree::Api::BaseController
    skip_before_action :authenticate_user
    skip_before_action :verify_authenticity_token
    before_action :verify_bolt_request

    private

    def verify_bolt_request
      hmac_header = request.headers['X-Bolt-Hmac-Sha256']
      signing_secret = SolidusBolt::BoltConfiguration.fetch&.signing_secret || ''
      computed_hmac = Base64.encode64(OpenSSL::HMAC.digest("SHA256", signing_secret, permitted_params.to_json)).strip

      return render json: { error: 'Unauthorized request' }, status: :unauthorized unless hmac_header == computed_hmac
    end
  end
end

Version data entries

10 entries across 10 versions & 1 rubygems

Version	Path
solidus_bolt-0.7.2	app/controllers/solidus_bolt/base_controller.rb
solidus_bolt-0.7.1	app/controllers/solidus_bolt/base_controller.rb
solidus_bolt-0.7.0	app/controllers/solidus_bolt/base_controller.rb
solidus_bolt-0.6.0	app/controllers/solidus_bolt/base_controller.rb
solidus_bolt-0.5.0	app/controllers/solidus_bolt/base_controller.rb
solidus_bolt-0.4.0	app/controllers/solidus_bolt/base_controller.rb
solidus_bolt-0.3.0	app/controllers/solidus_bolt/base_controller.rb
solidus_bolt-0.2.0	app/controllers/solidus_bolt/base_controller.rb
solidus_bolt-0.1.0	app/controllers/solidus_bolt/base_controller.rb
solidus_bolt-0.0.1	app/controllers/solidus_bolt/base_controller.rb