lib/bunq/signature.rb in bunq-client-0.6.1 vs lib/bunq/signature.rb in bunq-client-0.7.0
- old
+ new
@@ -32,12 +32,12 @@
unless signature_headers_value
fail AbsentResponseSignature.new(code: response.code, headers: response.raw_headers, body: response.body)
end
signature = Base64.strict_decode64(signature_headers_value.first)
- unless server_public_key.verify(digest, signature, "#{response.code}\n#{response.body}")
- fail RequestSignatureRequired.new(code: response.code, headers: response.raw_headers, body: response.body)
+ if !verify_modern(signature, response) && !verify_legacy(signature, response)
+ fail InvalidResponseSignature.new(code: response.code, headers: response.raw_headers, body: response.body)
end
end
private
@@ -52,8 +52,29 @@
_header_name.start_with?(BUNQ_HEADER_PREFIX) && _header_name != BUNQ_SERVER_SIGNATURE_RESPONSE_HEADER
end
def skip_signature_check(responseCode)
(Bunq::configuration.sandbox && responseCode == 409) || responseCode == 429
+ end
+
+ def verify_legacy(signature, response)
+ sorted_bunq_headers = response
+ .raw_headers
+ .select(&method(:verifiable_header?))
+ .sort
+ .to_h
+ .map do |k, v|
+ "#{k.to_s.split('-').map(&:capitalize).join('-')}: #{v.first}"
+ end
+
+ verify(signature, %Q{#{response.code}\n#{sorted_bunq_headers.join("\n")}\n\n#{response.body}})
+ end
+
+ def verify_modern(signature, response)
+ verify(signature, response.body)
+ end
+
+ def verify(signature, data)
+ server_public_key.verify(digest, signature, data)
end
end
end