Module: InstagramConnect::SignatureVerifier
- Defined in:
- lib/instagram_connect/signature_verifier.rb
Overview
Verifies Meta's X-Hub-Signature-256 header: HMAC-SHA256 of the raw request
body keyed by the app secret, compared in constant time. This is how the
webhook authenticates that a POST really came from Meta.
Class Method Summary collapse
- .secure_compare(given, expected) ⇒ Object
- .valid?(raw_body:, signature:, app_secret: InstagramConnect.configuration.app_secret) ⇒ Boolean
Class Method Details
.secure_compare(given, expected) ⇒ Object
17 18 19 20 21 |
# File 'lib/instagram_connect/signature_verifier.rb', line 17 def secure_compare(given, expected) return false unless given.bytesize == expected.bytesize OpenSSL.fixed_length_secure_compare(given, expected) end |
.valid?(raw_body:, signature:, app_secret: InstagramConnect.configuration.app_secret) ⇒ Boolean
10 11 12 13 14 15 |
# File 'lib/instagram_connect/signature_verifier.rb', line 10 def valid?(raw_body:, signature:, app_secret: InstagramConnect.configuration.app_secret) return false if signature.to_s.empty? || app_secret.to_s.empty? expected = "sha256=#{OpenSSL::HMAC.hexdigest('SHA256', app_secret.to_s, raw_body.to_s)}" secure_compare(signature.to_s, expected) end |