Module: DuffelAPI::WebhookEvent

Defined in:

lib/duffel_api/webhook_event.rb

Defined Under Namespace

Classes: InvalidRequestSignatureError

Constant Summary

SIGNATURE_REGEXP =

/\At=(.+),v1=(.+)\z/.freeze

SHA_256 =

OpenSSL::Digest.new("sha256")

Class Method Summary

• .genuine?(request_body:, request_signature:, webhook_secret:) ⇒ Boolean

  Checks if a webhook event you received was a genuine webhook event from Duffel by checking that it was signed with your shared secret.

Class Method Details

.genuine?(request_body:, request_signature:, webhook_secret:) ⇒ Boolean

Checks if a webhook event you received was a genuine webhook event from Duffel by checking that it was signed with your shared secret.

Assuming that you’ve kept that secret secure and only shared it with Duffel, this can give you confidence that a webhook event was genuinely sent by Duffel.

Parameters:

• request_body (String) —

  The raw body of the received request

• request_signature (String) —

  The signature provided with the received request, found in the ‘X-Duffel-Signature` request header

• webhook_secret (String) —

  The secret of the webhook, registered with Duffel

Returns:

• (Boolean) —

  whether the webhook signature matches

# File 'lib/duffel_api/webhook_event.rb', line 28

def genuine?(request_body:, request_signature:, webhook_secret:)
  parsed_signature = parse_signature!(request_signature)

  calculated_hmac = calculate_hmac(
    payload: request_body,
    secret: webhook_secret,
    timestamp: parsed_signature[:timestamp],
  )

  secure_compare(calculated_hmac, parsed_signature[:v1])
rescue InvalidRequestSignatureError
  # If the signature doesn't even look like a valid one, then the webhook
  # event can't be genuine
  false
end