Class: PurchaseKit::WebhookSignature

Inherits:

Object

• Object
• PurchaseKit::WebhookSignature

Defined in:

lib/purchasekit/webhook_signature.rb

Overview

Verifies HMAC-SHA256 signatures on incoming webhooks.

The PurchaseKit SaaS signs all webhook payloads with your webhook secret. This class verifies those signatures to ensure webhooks are authentic.

Example:

PurchaseKit::WebhookSignature.verify!(
  payload: request.raw_post,
  signature: request.headers["X-PurchaseKit-Signature"],
  secret: PurchaseKit.config.webhook_secret
)

Instance Attribute Summary

• #payload ⇒ Object readonly

  Returns the value of attribute payload.

• #secret ⇒ Object readonly

  Returns the value of attribute secret.

• #signature ⇒ Object readonly

  Returns the value of attribute signature.

Class Method Summary

• .verified_payload(payload:, signature:, secret:) ⇒ Object
• .verify!(payload:, signature:, secret:) ⇒ Object

Instance Method Summary

• #initialize(payload:, signature:, secret:) ⇒ WebhookSignature constructor

  A new instance of WebhookSignature.

• #verified_payload ⇒ Object

  Verify the signature and return the parsed JSON payload.

• #verify! ⇒ Object

  Verify the signature.

Constructor Details

#initialize(payload:, signature:, secret:) ⇒ WebhookSignature

Returns a new instance of WebhookSignature.

# File 'lib/purchasekit/webhook_signature.rb', line 20

def initialize(payload:, signature:, secret:)
  @payload = payload
  @signature = signature
  @secret = secret
end

Instance Attribute Details

#payload ⇒ Object (readonly)

Returns the value of attribute payload.

# File 'lib/purchasekit/webhook_signature.rb', line 18

def payload
  @payload
end

#secret ⇒ Object (readonly)

Returns the value of attribute secret.

# File 'lib/purchasekit/webhook_signature.rb', line 18

def secret
  @secret
end

#signature ⇒ Object (readonly)

Returns the value of attribute signature.

# File 'lib/purchasekit/webhook_signature.rb', line 18

def signature
  @signature
end

Class Method Details

.verified_payload(payload:, signature:, secret:) ⇒ Object

# File 'lib/purchasekit/webhook_signature.rb', line 55

def verified_payload(payload:, signature:, secret:)
  new(payload: payload, signature: signature, secret: secret).verified_payload
end

.verify!(payload:, signature:, secret:) ⇒ Object

# File 'lib/purchasekit/webhook_signature.rb', line 51

def verify!(payload:, signature:, secret:)
  new(payload: payload, signature: signature, secret: secret).verify!
end

Instance Method Details

#verified_payload ⇒ Object

Verify the signature and return the parsed JSON payload.

# File 'lib/purchasekit/webhook_signature.rb', line 45

def verified_payload
  verify!
  JSON.parse(payload, symbolize_names: true)
end

#verify! ⇒ Object

Verify the signature. Raises SignatureVerificationError if invalid.

# File 'lib/purchasekit/webhook_signature.rb', line 27

def verify!
  if secret.blank?
    raise SignatureVerificationError, "webhook_secret must be configured"
  end

  if signature.blank?
    raise SignatureVerificationError, "Missing signature"
  end

  expected = OpenSSL::HMAC.hexdigest("SHA256", secret, payload)
  unless ActiveSupport::SecurityUtils.secure_compare(signature, expected)
    raise SignatureVerificationError, "Invalid signature"
  end

  true
end