【问题标题】:How to verify a webhook with Ruby? (In Rails)如何使用 Ruby 验证 webhook? (在 Rails 中)
【发布时间】:2019-08-10 18:42:39
【问题描述】:

我想了解如何使用 Ruby 验证 Paddle webhook? Their example has an option on how to do it with PHP, Python and JavaScript, but no Ruby.关于如何做的任何想法?

以下旧示例不起作用:

require 'base64'
require 'php_serialize'
require 'openssl'


public_key = '-----BEGIN PUBLIC KEY-----
MIICIjANBgkqh...'

# 'data' represents all of the POST fields sent with the request.
# Get the p_signature parameter & base64 decode it.
signature = Base64.decode64(data['p_signature'])

# Remove the p_signature parameter
data.delete('p_signature')

# Ensure all the data fields are strings
data.each {|key, value|data[key] = String(value)}

# Sort the data
data_sorted = data.sort_by{|key, value| key}

# and serialize the fields
# serialization library is available here: https://github.com/jqr/php-serialize
data_serialized = PHP.serialize(data_sorted, true)

# verify the data
digest    = OpenSSL::Digest::SHA1.new
pub_key   = OpenSSL::PKey::RSA.new(public_key).public_key
verified  = pub_key.verify(digest, signature, data_serialized)

if verified
    puts "Yay! Signature is valid!"
else
    puts "The signature is invalid!"
end

这里是 JS 中的their example

// Node.js & Express implementation
const express = require('express');
const querystring = require('querystring');
const crypto = require('crypto');
const Serialize = require('php-serialize');

const router = express.Router();
const pubKey = `-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----`

function ksort(obj){
    let keys = Object.keys(obj).sort();
    let sortedObj = {};

    for (var i in keys) {
      sortedObj[keys[i]] = obj[keys[i]];
    }

    return sortedObj;
  }

function validateWebhook(jsonObj) {
    const mySig = Buffer.from(jsonObj.p_signature, 'base64');
    delete jsonObj.p_signature;
    // Need to serialize array and assign to data object
    jsonObj = ksort(jsonObj);
    for (var property in jsonObj) {
        if (jsonObj.hasOwnProperty(property) && (typeof jsonObj[property]) !== "string") {
            if (Array.isArray(jsonObj[property])) { // is it an array
                jsonObj[property] = jsonObj[property].toString();
            } else { //if its not an array and not a string, then it is a JSON obj
                jsonObj[property] = JSON.stringify(jsonObj[property]);
            }
        }
    }
    const serialized = Serialize.serialize(jsonObj);
    // End serialize data object
    const verifier = crypto.createVerify('sha1');
    verifier.update(serialized);
    verifier.end();

    let verification = verifier.verify(pubKey, mySig);

    if (verification) {
        return 'Yay! Signature is valid!';
    } else {
        return 'The signature is invalid!';
    }
}

/* Validate a Paddle webhook to this endpoint, or wherever in your app you are listening for Paddle webhooks */
router.post('/', function(req, res, next) {
    res.send(validateWebhook(req.body));
});

module.exports = router;

如何使用 Ruby 验证 webhook?是否有其他方法来验证 webhook?

这是一个示例 webhook 请求:

(
    [alert_name] => subscription_created
    [cancel_url] => https://checkout.paddle.com/subscription/cancel?user=4&subscription=8&hash=b0bd354fexamplec39b0ff93c917804acf
    [checkout_id] => 1-61ff5b400-756ea301a9
    [currency] => USD
    [email] => wleffler@example.net
    [event_time] => 2019-08-10 18:33:58
    [marketing_consent] => 
    [next_bill_date] => 2019-08-18
    [passthrough] => 1132
    [quantity] => 67
    [status] => active
    [subscription_id] => 4
    [subscription_plan_id] => 5
    [unit_price] => unit_price
    [update_url] => https://checkout.paddle.com/subscription/update?user=5&subscription=4&hash=e937ed03f1637e45d912f4f4d293a
    [user_id] => 6
    [p_signature] => HM2Isn1k6Sy1cKySQGoFH...
)

编辑:

我正在使用 Ruby 2.5.5 和 Ruby on Rails 5。目前最终仍然总是“错误”。我将在我的控制台上完成它:

这是我在 Rails 中获得的(假)数据:

data = {
"alert_id"=>"1", 
"alert_name"=>"alert_created", 
"cancel_url"=>"https://...", 
"checkout_id"=>"1", 
"user_id"=>"1", 
"p_signature"=>"fwWXqR9C..."
} 

public_key = '-----BEGIN PUBLIC KEY-----sDFKJSD2332FKJLWJF......'

然后我执行以下操作:

signature = Base64.decode64(data['p_signature'])

data.delete('p_signature')

data.each {|key, value|data[key] = String(value)}

data_sorted = data.sort_by{|key, value| key}

data_serialized = data_sorted.to_json

digest    = OpenSSL::Digest::SHA1.new

pub_key   = OpenSSL::PKey::RSA.new(public_key)

verified  = pub_key.verify(digest, signature, data_serialized)

最后verified总是false。我究竟做错了什么?

【问题讨论】:

    标签: javascript php ruby-on-rails ruby webhooks


    【解决方案1】:

    您提到的 Ruby 示例不起作用,因为您需要获取数据变量。这必须从控制器发送到处理请求的某个类。

    试试这个:

    在 routes.rb 中

    get 'check', to: 'test#check'

    在控制器中

    class TestController < ApplicationController
    
      def check
        verification = SignatureVerifier.new(check_params.as_json)
        if verification
          #... do something
        end
      end
    
      private
    
      def check_params
        params.permit.all
      end
    end
    

    在验证器类中

    require 'base64'
    require 'json'
    require 'openssl'
    
    class SignatureVerifier
    
      def initialize(data)
        @data = data
        @public_key_path = '/path/to/file'
      end
    
      #data = {
      #  "alert_name": "payment_succeeded",
      #  "balance_currency": "USD",
      #  "balance_earnings": 355.05,
      #  "balance_fee": 177.36,
      #  "balance_gross": 180.85,
      #  "balance_tax": 433.43,
      #  "checkout_id": "4-601ee0e3d793922-ab8910b010",
      #  "currency": "USD",
      #  "customer_name": "customer_name",
      #  "earnings": 292.87,
      #  "product_name": "Example",
      #  "quantity": 12,
      #  "p_signature": "dl8PN7OrxiYHSJzT3CLUDlElodOE2j8puZkDNPHX9rZnTgig123f4KhtUXZT/HjbU5D7g/PZggxSCt9YrMcWrbSkfINJROTb+YrlhYKAVyTbmMWJV8u+YU6VcGNkhcGK7tIZNBJuaKMBrByrYA14gR3TvMjgXbQWNSFJ8LgJKMWoovbpuOkQwzkKze4vavt3WhElW0izPZwpiqVWTVXAlIvDxHTNT+sS1jXqAHdoli6sVblQQtAujSxdGm2OXB92yifcV0oHhrsqt8rCk1TzJOqsVrhQz1lqSYsbdhlM40QPHM7nHPGe5RITly4t8BjsuCB+V1aeof3N5A0ZDk+2M2Cox6S+vEahEdbW8QdecIKN12SMAYI5kx9zMMiUZ9XZqqC6orXE3uVAcTvMwiTRDDmEVr1HtsBZRo/Ykg7+fMYPc/o7rDpA16/EIOcce1zp+vgilL6rSxIuMFfWlP9qxzrV1MtcmQa86NxEU0GJtebkhehXZfh/eDCAjysmrrBM5xkqE19M+Ye4jZCRTzQTHyDJxjdNYefk7bVfivwRI606JJCGYUMTD6NIsn4rinw2SxKkZquqjTykcob5gn3HH+0AxyjuDj7fsLyqEl3gE9tgo/oMKRBy+zsYzQk4v291sh2PbUfH36W4aL4YYztlsarfMIBWqJshc8rf0RL3pAM="
      #}
    
      def verify
        data = @data
        signature = Base64.decode64(data[:p_signature])
    
        # Remove the p_signature parameter
        data.delete(:p_signature)
    
        # Ensure all the data fields are strings
        data.each {|key, value|data[key] = String(value)}
    
        # Sort the data
        data_sorted = data.sort_by{|key, value| key}
    
        # Serialized with JSON library
        data_serialized = data_sorted.to_json
    
        # verify the data
        digest    = OpenSSL::Digest::SHA1.new
        pub_key   = OpenSSL::PKey::RSA.new(File.read(@public_key_path))
        verified  = pub_key.verify(digest, signature, data_serialized)
    
        verified
      end
    end
    

    【讨论】:

    • 当你完成实现后,你应该使用 Paddle 提供的 Webhook 模拟器。这是链接:vendors.paddle.com/webhook-alert-test
    • 感谢您的回答,古斯塔沃!我有那部分工作,并且还成功使用了 webhook 模拟器。我认为问题出在github.com/jqr/php-serialize 我想要一个纯 Ruby 解决方案,所以我不需要为此部分使用过时的 gem data_serialized = PHP.serialize(data_sorted, true)
    • @userden 我做了一些更改,现在 php_serialize 不见了。检查此解决方案。
    • 谢谢@gustavo-toro!我测试了你的解决方案。我对 Ruby on Rails 如何处理请求(参数)有疑问。我在问题的底部添加了更新。
    • 只需替换控制器verification = SignatureVerifier.new(check_params.as_json)中的这一行
    【解决方案2】:

    如果这对将来的任何人有帮助。以下代码为我解决了问题。

    [1] 将此添加到处理 API 集成/webhook 的控制器类中:

      # main Paddle end-point for paddle generated webhook events
      def paddle
       
        if PaddleWebhooks.verify_paddle_authenticity(params.as_json)
            msg= 'Yay! Signature is valid!:' + params.to_s
        else
            msg= 'The signature is invalid!:' + params.to_s
        end
        
        render json: msg.to_json, status: :ok
      end
    

    Paddle 期望 webhooks 处理程序返回状态码 200 (:ok)。我们还添加了要返回到 Paddle 的 webhook 模拟器的 msg,以便您可以检查从它们那里收到的内容(及其结构)。一旦你投入生产,你当然可以删除它。

    [2] 将 php_serialize gem 添加到您的 gemfile 中

    # Use for verifying Paddle's webhooks
    gem "php-serialize"
    

    [3] 创建一个支持类:

    class PaddleWebhooks
      require 'base64'
      require 'php_serialize'
      require 'openssl'
    
      def self.verify_paddle_authenticity(data)
           
        // PADDLE_PUBLIC_KEY should have your paddle provided key as a single line
        // and without the  "-----BEGIN PUBLIC KEY-----" and 
        // "-----END PUBLIC KEY-----"  strings
        public_key =ENV['PADDLE_PUBLIC_KEY']
          
        signature = Base64.decode64(data['p_signature'])
    
        # Remove the p_signature parameter as per Paddle's instructions
        data.delete('p_signature')
        # Remove also from the data the controller and action (key,value) pairs
        data.delete('controller')
        data.delete('action')
    
        # Ensure all the data fields are strings
        data.each {|key, value|data[key] = String(value)}
    
        # Sort the data
        data_sorted = data.sort_by{|key, value| key}
    
        # Serialized with JSON library
        data_serialized = PHP.serialize(data_sorted, true)
    
        # verify the data
        digest    = OpenSSL::Digest::SHA1.new
        pub_key = OpenSSL::PKey::RSA.new(Base64.decode64(public_key))
        verified  = pub_key.verify(digest, signature, data_serialized)
    
        verified  
      end
    
    
    end
    

    【讨论】:

      猜你喜欢
      • 1970-01-01
      • 2014-03-16
      • 1970-01-01
      • 2023-01-31
      • 1970-01-01
      • 2013-01-04
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多