Contents

require "rubygems"
require "active_resource"

module LedSign
  
  class Base < ActiveResource::Base
    self.site = "http://internetledsign.com/api"
    self.format = :json
  end
  
  class Msg < Base
  end
  
  class User < Base
  end
  
  class Log < Base
  end
  
  class Session
    cattr_accessor :url
    cattr_accessor :api_key
    cattr_accessor :secret
    cattr_accessor :protocol 
    self.protocol = 'https'
    
    attr_accessor :token, :name
    
    def self.setup(params)
      params.each { |k,value| send("#{k}=", value) }
    end
        
    def initialize(token = nil, params = nil)
      self.token = token

      if params && params[:signature]
        unless self.class.validate_signature(params) && params[:timestamp].to_i > 24.hours.ago.utc.to_i
          raise "Invalid Signature: Possible malicious login" 
        end
      end
    end
    
    def login_url
      "http://#{self.class.url}/login/?api_key=#{api_key}"
    end

    # Used by ActiveResource::Base to make all non-authentication API calls
    # (ShopifyAPI::Base.site set in ShopifyLoginProtection#shopify_session)
    def site
      "#{protocol}://#{api_key}:#{computed_password}@#{self.class.url}"
    end

    def valid?
      token.present?
    end

    private

    # The secret is computed by taking the shared_secret which we got when 
    # registring this third party application and concating the request_to it, 
    # and then calculating a MD5 hexdigest. 
    def computed_password
      Digest::MD5.hexdigest(secret + token.to_s)
    end
  
    
    def self.validate_signature(params)
      return false unless signature = params[:signature]

      sorted_params = params.except(:signature, :action, :controller).collect{|k,v|"#{k}=#{v}"}.sort.join
      Digest::MD5.hexdigest(secret + sorted_params) == signature
    end
  end
end

Version data entries

1 entries across 1 versions & 1 rubygems

Version	Path
ledsign-api-0.1.0	lib/ledsign-api.rb