Class: Twilio::Security::RequestValidator

Inherits:

Object

• Object
• Twilio::Security::RequestValidator

Defined in:

lib/twilio-ruby/security/request_validator.rb

Instance Method Summary

• #build_hash_for(body) ⇒ String

  Build a SHA256 hash for a body string.

• #build_signature_for(url, params) ⇒ String

  Build a SHA1-HMAC signature for a url and parameter hash.

• #initialize(auth_token = nil) ⇒ RequestValidator constructor

  Initialize a Request Validator.

• #validate(url, params, signature) ⇒ Boolean

  Validates that after hashing a request with Twilio’s request-signing algorithm (www.twilio.com/docs/usage/security#validating-requests), the hash matches the signature parameter.

Constructor Details

#initialize(auth_token = nil) ⇒ RequestValidator

Initialize a Request Validator. auth_token will either be grabbed from the global Twilio object or you can pass it in here.

Parameters:

• auth_token (String) (defaults to: nil) —

  Your account auth token, used to sign requests

Raises:

• (ArgumentError)

# File 'lib/twilio-ruby/security/request_validator.rb', line 11

def initialize(auth_token = nil)
  @auth_token = auth_token || Twilio.auth_token
  raise ArgumentError, 'Auth token is required' if @auth_token.nil?
end

Instance Method Details

#build_hash_for(body) ⇒ String

Build a SHA256 hash for a body string

Parameters:

• body (String) —

  String to hash

Returns:

• (String) —

  A hex-encoded SHA256 of the body string

# File 'lib/twilio-ruby/security/request_validator.rb', line 55

def build_hash_for(body)
  hasher = OpenSSL::Digest.new('sha256')
  hasher.hexdigest(body)
end

#build_signature_for(url, params) ⇒ String

Build a SHA1-HMAC signature for a url and parameter hash

Parameters:

• url (String) —

  The request url, including any query parameters

• params (#join) —

  The POST parameters

Returns:

• (String) —

  A base64 encoded SHA1-HMAC

# File 'lib/twilio-ruby/security/request_validator.rb', line 67

def build_signature_for(url, params)
  data = url + params.sort.join
  digest = OpenSSL::Digest.new('sha1')
  Base64.strict_encode64(OpenSSL::HMAC.digest(digest, @auth_token, data))
end

#validate(url, params, signature) ⇒ Boolean

Validates that after hashing a request with Twilio’s request-signing algorithm (www.twilio.com/docs/usage/security#validating-requests), the hash matches the signature parameter

Parameters:

• url (String) —

  The url sent to your server, including any query parameters

• params (String, Hash, #to_unsafe_h) —

  In most cases, this is the POST parameters as a hash. If you received a bodySHA256 parameter in the query string, this parameter can instead be the POST body as a string to validate JSON or other text-based payloads that aren’t x-www-form-urlencoded.

• signature (String) —

  The expected signature, from the X-Twilio-Signature header of the request

Returns:

• (Boolean) —

  whether or not the computed signature matches the signature parameter

# File 'lib/twilio-ruby/security/request_validator.rb', line 27

def validate(url, params, signature)
  parsed_url = URI(url)
  url_with_port = add_port(parsed_url)
  url_without_port = remove_port(parsed_url)

  valid_body = true # default succeed, since body not always provided
  params_hash = body_or_hash(params)
  unless params_hash.is_a? Enumerable
    body_hash = URI.decode_www_form(parsed_url.query || '').to_h['bodySHA256']
    params_hash = build_hash_for(params)
    valid_body = !(params_hash.nil? || body_hash.nil?) && secure_compare(params_hash, body_hash)
    params_hash = {}
  end

  # Check signature of the url with and without port numbers
  # since signature generation on the back end is inconsistent
  valid_signature_with_port = secure_compare(build_signature_for(url_with_port, params_hash), signature)
  valid_signature_without_port = secure_compare(build_signature_for(url_without_port, params_hash), signature)

  valid_body && (valid_signature_with_port || valid_signature_without_port)
end