Class: Rerout::Rails::WebhookController

Inherits:

ActionController::Base

• Object
• ActionController::Base
• Rerout::Rails::WebhookController

Defined in:

lib/rerout/rails/webhook_controller.rb

Overview

‘ActionController` endpoint that ingests signed Rerout webhooks.

The ‘rerout:install` generator mounts it for you. To wire it manually:

# config/routes.rb
post '/rerout/webhooks', to: 'rerout/rails/webhook#receive'

Behaviour:

• Verifies the ‘X-Rerout-Signature` header against the configured `webhook_secret` using the base SDK’s constant-time HMAC check.

• ‘200` — signature valid and the body is a JSON object; the delivery is dispatched through Events.

• ‘401` — signature missing, malformed, stale, or wrong.

• ‘400` — signature valid but the body is not a JSON object.

CSRF protection is skipped — webhooks are server-to-server and carry no session cookie. Subscribe to Events topics to react to deliveries; do not subclass this controller to add handlers.

Constant Summary

SIGNATURE_HEADER =

Header Rerout signs every delivery with.

'X-Rerout-Signature'

Instance Method Summary

• #receive ⇒ void

  Verify, parse, and dispatch a single webhook delivery.

Instance Method Details

#receive ⇒ void

This method returns an undefined value.

Verify, parse, and dispatch a single webhook delivery.

# File 'lib/rerout/rails/webhook_controller.rb', line 40

def receive
  raw_body = read_raw_body
  signature = request.headers[SIGNATURE_HEADER].to_s

  unless signature_valid?(raw_body, signature)
    return render(json: { error: 'invalid signature' }, status: :unauthorized)
  end

  body = parse_object(raw_body)
  if body.nil?
    return render(json: { error: 'body must be a JSON object' },
                  status: :bad_request)
  end

  event = body['event'].is_a?(String) ? body['event'] : ''
  Events.dispatch(event: event, body: body, request: request)

  render json: { received: true, event: event }, status: :ok
end