Class: Twilio::Security::RequestValidator

Inherits:

Object

Object
Twilio::Security::RequestValidator

show all

Defined in:: lib/twilio-ruby/security/request_validator.rb

Instance Method Summary collapse

#build_hash_for(body) ⇒ String

Build a SHA256 hash for a body string.
#build_signature_for(url, params) ⇒ String

Build a SHA1-HMAC signature for a url and parameter hash.
#initialize(auth_token = nil) ⇒ RequestValidator constructor

Initialize a Request Validator.
#validate(url, params, signature) ⇒ Boolean

Validates that after hashing a request with Twilio’s request-signing algorithm (www.twilio.com/docs/usage/security#validating-requests), the hash matches the signature parameter.

Constructor Details

#initialize(auth_token = nil) ⇒ `RequestValidator`

Initialize a Request Validator. auth_token will either be grabbed from the global Twilio object or you can pass it in here.

Parameters:

auth_token (String) (defaults to: nil) —

Your account auth token, used to sign requests

Raises:

(ArgumentError)

# File 'lib/twilio-ruby/security/request_validator.rb', line 11

def initialize(auth_token = nil)
  @auth_token = auth_token || Twilio.auth_token
  raise ArgumentError, 'Auth token is required' if @auth_token.nil?
end

Instance Method Details

#build_hash_for(body) ⇒ `String`

Build a SHA256 hash for a body string

Parameters:

body (String) —

String to hash

Returns:

(String) —

A hex-encoded SHA256 of the body string

# File 'lib/twilio-ruby/security/request_validator.rb', line 46

def build_hash_for(body)
  hasher = OpenSSL::Digest.new('sha256')
  hasher.hexdigest(body)
end

#build_signature_for(url, params) ⇒ `String`

Build a SHA1-HMAC signature for a url and parameter hash

Parameters:

url (String) —

The request url, including any query parameters
params (#join) —

The POST parameters

Returns:

(String) —

A base64 encoded SHA1-HMAC

# File 'lib/twilio-ruby/security/request_validator.rb', line 58

def build_signature_for(url, params)
  data = url + params.sort.join
  digest = OpenSSL::Digest.new('sha1')
  Base64.encode64(OpenSSL::HMAC.digest(digest, @auth_token, data)).strip
end

#validate(url, params, signature) ⇒ `Boolean`

Validates that after hashing a request with Twilio’s request-signing algorithm (www.twilio.com/docs/usage/security#validating-requests), the hash matches the signature parameter

Parameters:

url (String) —

The url sent to your server, including any query parameters
params (String, Hash, #to_unsafe_h) —

In most cases, this is the POST parameters as a hash. If you received a bodySHA256 parameter in the query string, this parameter can instead be the POST body as a string to validate JSON or other text-based payloads that aren’t x-www-form-urlencoded.
signature (String) —

The expected signature, from the X-Twilio-Signature header of the request

Returns:

(Boolean) —

whether or not the computed signature matches the signature parameter

# File 'lib/twilio-ruby/security/request_validator.rb', line 27

def validate(url, params, signature)
  params_hash = body_or_hash(params)
  if params_hash.is_a? Enumerable
    expected = build_signature_for(url, params_hash)
    secure_compare(expected, signature)
  else
    expected_signature = build_signature_for(url, {})
    body_hash = URI.decode_www_form(URI(url).query).to_h['bodySHA256']
    expected_hash = build_hash_for(params)
    secure_compare(expected_signature, signature) && secure_compare(expected_hash, body_hash)
  end
end

Class: Twilio::Security::RequestValidator

Instance Method Summary collapse

Constructor Details

#initialize(auth_token = nil) ⇒ RequestValidator

Instance Method Details

#build_hash_for(body) ⇒ String

#build_signature_for(url, params) ⇒ String

#validate(url, params, signature) ⇒ Boolean

#initialize(auth_token = nil) ⇒ `RequestValidator`

#build_hash_for(body) ⇒ `String`

#build_signature_for(url, params) ⇒ `String`

#validate(url, params, signature) ⇒ `Boolean`