OStatus2

Gem Version Build Status Dependency Status

A Ruby toolset for interacting with the OStatus suite of protocols:

  • Subscribing to and publishing feeds via PubSubHubbub
  • Interacting with feeds via Salmon

Installation

gem install ostatus2

Usage

When your feed updates and you need to notify subscribers:

p = OStatus2::Publication.new('http://url.to/feed', ['http://some.hub'])
p.publish

When you want to subscribe to a feed:

token  = 'abc123'
secret = 'def456'

s = OStatus2::Subscription.new('http://url.to/feed', token: token, secret: secret, webhook: 'http://url.to/webhook', hub: 'http://some.hub')
s.subscribe

Your webhook URL will receive a HTTP GET request that you will need to handle:

if s.valid?(params['hub.topic'], params['hub.verify_token'])
  # echo back params['hub.challenge']
else
  # return 404
end

Once the subscription is established, your webhook URL will be receiving HTTP POST requests. Among the headers of such a request will be the hub's signature on the content: X-Hub-Signature. You can verify the integrity of the request:

body      = request.body.read
signature = request.env['HTTP_X_HUB_SIGNATURE']

if s.verify(body, signature)
  # Do something with the data!
end

When you want to notify a remote resource about an interaction (like a comment):

your_rsa_keypair = OpenSSL::PKey::RSA.new 2048

salmon   = OStatus2::Salmon.new
envelope = salmon.pack(comment, your_rsa_keypair)

salmon.post('http://remote.salmon/endpoint', envelope)

When you receive a Salmon notification about a remote interaction:

salmon  = OStatus2::Salmon.new
comment = salmon.unpack(envelope)

# Parse comment and determine who the remote author is pretending to be,
# fetch their public key via Webfinger or something like that, and finally

if salmon.verify(envelope, remote_public_key)
  # You can be sure the salmon is genuine
end