Module: DuffelAPI::WebhookEvent
- Defined in:
- lib/duffel_api/webhook_event.rb
Defined Under Namespace
Classes: InvalidRequestSignatureError
Constant Summary collapse
- SIGNATURE_REGEXP =
/\At=(.+),v1=(.+)\z/.freeze
- SHA_256 =
OpenSSL::Digest.new("sha256")
Class Method Summary collapse
-
.genuine?(request_body:, request_signature:, webhook_secret:) ⇒ Boolean
Checks if a webhook event you received was a genuine webhook event from Duffel by checking that it was signed with your shared secret.
Class Method Details
.genuine?(request_body:, request_signature:, webhook_secret:) ⇒ Boolean
Checks if a webhook event you received was a genuine webhook event from Duffel by checking that it was signed with your shared secret.
Assuming that you’ve kept that secret secure and only shared it with Duffel, this can give you confidence that a webhook event was genuinely sent by Duffel.
28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
# File 'lib/duffel_api/webhook_event.rb', line 28 def genuine?(request_body:, request_signature:, webhook_secret:) parsed_signature = parse_signature!(request_signature) calculated_hmac = calculate_hmac( payload: request_body, secret: webhook_secret, timestamp: parsed_signature[:timestamp], ) secure_compare(calculated_hmac, parsed_signature[:v1]) rescue InvalidRequestSignatureError # If the signature doesn't even look like a valid one, then the webhook # event can't be genuine false end |