Module: DuffelAPI::WebhookEvent

Defined in:
lib/duffel_api/webhook_event.rb

Defined Under Namespace

Classes: InvalidRequestSignatureError

Constant Summary collapse

SIGNATURE_REGEXP =
/\At=(.+),v1=(.+)\z/.freeze
SHA_256 =
OpenSSL::Digest.new("sha256")

Class Method Summary collapse

Class Method Details

.genuine?(request_body:, request_signature:, webhook_secret:) ⇒ Boolean

Checks if a webhook event you received was a genuine webhook event from Duffel by checking that it was signed with your shared secret.

Assuming that you've kept that secret secure and only shared it with Duffel, this can give you confidence that a webhook event was genuinely sent by Duffel.

Parameters:

  • request_body (String)

    The raw body of the received request

  • request_signature (String)

    The signature provided with the received request, found in the `X-Duffel-Signature` request header

  • webhook_secret (String)

    The secret of the webhook, registered with Duffel

Returns:

  • (Boolean)

    whether the webhook signature matches


28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# File 'lib/duffel_api/webhook_event.rb', line 28

def genuine?(request_body:, request_signature:, webhook_secret:)
  parsed_signature = parse_signature!(request_signature)

  calculated_hmac = calculate_hmac(
    payload: request_body,
    secret: webhook_secret,
    timestamp: parsed_signature[:timestamp],
  )

  secure_compare(calculated_hmac, parsed_signature[:v1])
rescue InvalidRequestSignatureError
  # If the signature doesn't even look like a valid one, then the webhook
  # event can't be genuine
  false
end