Module: SignedRequest

Defined in:

lib/signed_request.rb

Constant Summary

STRIP_PARAMS =

['action', 'controller', 'format']

Class Method Summary

• .sign(params, secret_key, options = {}) ⇒ Object

  Sign a request on the sending end.

• .validate(params, secret_key, sign_options = {}) ⇒ Object

  Validate an incoming request on the receiving end.

Class Method Details

.sign(params, secret_key, options = {}) ⇒ Object

Sign a request on the sending end.

# File 'lib/signed_request.rb', line 9

def self.sign(params, secret_key, options = {})
  params = params.dup

  # Flatten any sub-hashes to a single string.
  params.keys.each do |key|
    if params[key].is_a?(Hash)
      params[key] = params[key].sort_by { |k, v| k.to_s.downcase }.to_s
    end
  end

  query   = params.sort_by { |k,v| k.to_s.downcase }
  string_to_sign = options[:path].to_s + query.to_s

  digest  = OpenSSL::Digest::Digest.new('sha1')
  hmac    = OpenSSL::HMAC.digest(digest, secret_key, string_to_sign)
  encoded = Base64.encode64(hmac).chomp
end

.validate(params, secret_key, sign_options = {}) ⇒ Object

Validate an incoming request on the receiving end.

# File 'lib/signed_request.rb', line 28

def self.validate(params, secret_key, sign_options = {})
  signature = params.delete('signature') || params.delete(:signature)
  return false if !signature

  strip_keys_from!(params, *STRIP_PARAMS)
  actual_signature = sign(params, secret_key, sign_options)
  actual_signature == signature
end