Rails: Cannot match webhook signature in json response - ruby-on-rails

I need to be able to verify the signature of a webhook but I cannot seem to match the value correctly. The tool I'm using provides the expected signature as a URL param with the request:
YOUR_CALLBACK_URL?signature=ofdiwefjojiefwojowefoi
# www.websitename.com?signature=ofdiwefjojiefwojowefoi
They state that the way they generate the signature is:
The signature is generated using an HMAC-SHA-256 base64 digest of the raw HTTP Body of the Webhook post using this Webhook secret.
You can generate the signature in php as follows:
$request_body = file_get_contents('php://input');
$s = hash_hmac('sha256', $request_body, 'mySecret', true);
echo base64_encode($s);
In my app, I attempt to generate a matching signature by doing the following:
key = ENV['ESIGNGENIE_SECRET']
data = params.to_json
signature = Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, data)).strip()
return signature == params["signature"]
This seems to always be wrong. Am I doing something wrong here? I can't tell if I'm encountering issues due to the way Rails parses the json object or what.

After doing some research I realized that my mistake was trying to use params to generate the signature when I should have used request.body.read. It should look like the following:
key = ENV['ESIGNGENIE_SECRET']
data = request.body.read
signature = Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest.new('sha256'), key, data)).strip()
return signature == params["signature"]

Related

Path parameters being passed as a String with comma not read properly in rest assured

I have a code where I am passing path parameters in the GET request in Rest Assured. But I see the path parameters aren't read properly and I see some gibberish text being read. Actually the String I am passing as path parameter contains a comma in it. Below is my code.
ValidatableResponse response = given().header("Authorization", token).header("Content-type", "application/json")
.when().log().all().pathParam("CalendarId", testCaseBean.getCalendarId().toString())
.queryParam("from", testCaseBean.getStartDate()).queryParam("to", testCaseBean.getEndDate())
.queryParam("monthEnd", testCaseBean.getMonthEndBusinessDay())
.get(EndPoint.GET_CALENDAR_BUSINESS_DAY_INFO_DATE_PARAM).then().log().all();
The path param I am passing is "AUS,EUR" and it is being read as AUS%2CEUR. I am passing this path parameter as test data from the CSV file. Below is the request being formed on the console.
https://portculation-qa.us-east-1.m5435454345.easn.mss.com/master-data/v1/calendars/AUS%2CEUR?from=2022-11-01&to=2022-11-01&monthEnd=false
My expected request URI is https://portculation-qa.us-east-1.m5435454345.easn.mss.com/master-data/v1/calendars/AUS,EUR?from=2022-11-01&to=2022-11-01&monthEnd=false
You can see the only difference in the expected and actual URI is the gibberish path param which isn't read properly. Any solution to tackle this issue?
Try adding this:
.urlEncodingEnabled(false)
RestAssured.given()
.contentType(JSON)
.log()
.all()
.urlEncodingEnabled(false)
or:
RestAssured.urlEncodingEnabled = false;
By default it set to true.

Issue making JWT token for use with Rails and rest-client gem

I'm new to Rails and I'm using rest-client to make outbound requests. It's easy to get successful results for a simple call like this:
#obj = RestClient.get 'https://jsonplaceholder.typicode.com/posts/1'
I need to hit a real endpoint and send a header with a jwt token (using ruby-jwt). According to the JWT readme, the content of the header should look like this:
Authorization: Bearer <token>
So I have some code to use a secret to make that token (and I confirmed the resulting token is valid) and put it into a headers variable, but I'm unsure about the syntax on that headers line, and whether it's right to use strings:
def build_headers (secret)
jwt_token = make_signed_JWT_token(secret)
headers = ("Authorization: Bearer "+ jwt_token)
return headers
end
Running it produces a 'headers' value like this:
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJleHAiOjE1MzIxMTc3MjF9.dP2k1oPwjna5HdrnFeSqiVfR0Fz6J1ZlupfXMsPtFKw
I include that in my rest-client invocation like so:
#obj = RestClient.get(path, headers)
I'm no longer get a 401 Unauthorized error, but no celebrating yet; we appear to jump out of the code block at that line, with this exception:
undefined method `delete_if' for #<String:0x007f9e4de410b8>
Looking in the rest-client code, there is exactly one block that uses delete_if, whose purpose is to find and extract/remove "params" key if the value is a Hash/ParamsArray:
headers.delete_if do |key, value|
if key.to_s.downcase == 'params' &&
(value.is_a?(Hash) || value.is_a?(RestClient::ParamsArray))
if url_params
raise ArgumentError.new("Multiple 'params' options passed")
end
url_params = value
true
else
false
end
So my error suggests that it found something in this forbidden format and is trying to delete it, but that delete method isn't defined to act on a String. My best hunch is that there's something the matter with that headers item I created, but reading around I'm not finding more clues. Has anyone seen this before, or know if my jwt/header should be different?
You are passing a string where a hash is expected. Try this:
def build_headers (secret)
jwt_token = make_signed_JWT_token(secret)
headers = { authorization: "Bearer "+ jwt_token }
return headers
end

ruby-saml SAMLRequest as POST instead of GET

I am starting to use ruby-saml for one of the projects. IDP that I am using is expecting POST for authentication request with HTTP body containing SAMLRequest. Looking at the source code for authrequest.rb, create method can only do GET instead of POST.
I decided to call the create_params and get the base64 token which I can use from my view to do a POST.
When I use the following code
params = {}
request = OneLogin::RubySaml::Authrequest.new
token = request.create_params(saml_settings, params)
p token
p token["SAMLRequest"]
p decode(token["SAMLRequest"])
When i try base64decode.org or call the decode method, I get encoding for is not correct.
1) Can I do a POST instead of a GET?
2) What am I doing wrong in creating the request for it to be bad encoding?
thanks
1) Can I do a POST instead of a GET?
Yes, but support POST-binding is not just replace GET parameters by POST parameters...the signature on POST-binding is embed on the SAML message and is not another GET parameter.
2) What am I doing wrong in creating the request for it to be bad encoding?
thanks
The AuthNRequest is not only base64encoded, but also deflated.
Try use Base64 Decode + Inflate
You will find that thread interesting:
https://github.com/onelogin/ruby-saml/issues/124

Twitter Application Only Auth

I'm trying to get an Application Only Auth token following the steps of this link:
https://dev.twitter.com/docs/auth/application-only-auth
I'm using Ruby on Rails and Rest Client to make the POST request needed and I'm setting the headers (I think) properly.
The step-by-step says:
URL encode the consumer key and the consumer secret according to RFC
1738. Note that at the time of writing, this will not actually change the consumer key and secret, but this step should still be performed
in case the format of those values changes in the future.
Concatenate the encoded consumer key, a colon character ":", and the
encoded consumer secret into a single string.
Base64 encode the string from the previous step.
And my code is:
require 'rest_client'
key = URI::encode('app_key')
secret = URI::encode('app_secret')
encoded = Base64.encode64("#{key}:#{secret}")
res = RestClient::Resource.new "https://api.twitter.com/oauth2/token/"
response = ''
options = {}
options['Authorization'] = "Basic #{encoded}"
options['Content-Type'] = 'application/x-www-form-urlencoded;charset=UTF-8'
res.post('grant_type=client_credentials', options) do |response, request, result|
response << "#{CGI::escapeHTML(response.inspect)}<br /><br />"
response << "#{CGI::escapeHTML(request.inspect)}<br /><br />"
response << "#{CGI::escapeHTML(result.inspect)}<br />"
end
render :text => txt
And I print out this:
"{\"errors\":[{\"label\":\"authenticity_token_error\",\"code\":99,\"message\":\"Unable to verify your credentials\"}]}"
#<RestClient::Request:0x9ece5d8 #method=:post, #headers={"Authorization"=>"Basic bXlfa2V5Om15X3NlY3JldA==\n", "Content-Type"=>"application/x-www-form-urlencoded;charset=UTF-8"}, #url="https://api.twitter.com/oauth2/token/", #cookies={}, #payload="", #user=nil, #password=nil, #timeout=nil, #open_timeout=nil, #block_response=nil, #raw_response=false, #verify_ssl=false, #ssl_client_cert=nil, #ssl_client_key=nil, #ssl_ca_file=nil, #tf=nil, #max_redirects=10, #processed_headers={"Accept"=>"*/*; q=0.5, application/xml", "Accept-Encoding"=>"gzip, deflate", "Authorization"=>"Basic bXlfa2V5Om15X3NlY3JldA==\n", "Content-Type"=>"application/x-www-form-urlencoded;charset=UTF-8", "Content-Length"=>"29"}, #args={:method=>:post, :url=>"https://api.twitter.com/oauth2/token/", :payload=>"grant_type=client_credentials", :headers=>{"Authorization"=>"Basic bXlfa2V5Om15X3NlY3JldA==\n", "Content-Type"=>"application/x-www-form-urlencoded;charset=UTF-8"}}>
#<Net::HTTPForbidden 403 Forbidden readbody=true>
My key and secret are valid.
Am I missing something?
Thanks!
EDIT:
Updating with the solution I've found.
The problem was on the Base64 convertion and string encoding.
I had to add a forced encoding parameter to the key+secret combination, for UTF-8 convertion:
encoded = Base64.encode64("#{key}:#{secret}".force_encoding('UTF-8'))
The Rails Base64.encode64 inserts a line break every 60 encoded characters.
The workaround was:
For Ruby 1.9+ (strict_ was included in Ruby 1.9)
Base64.strict_encode64(string)
For Ruby 1.9-
Base64.encode64(string).gsub('/\n/') # To remove the line break
Are you trying to implement Authorization with Tweeter (as OAuth Provider). Instead of writing it from the scratch following the API documentation, I would suggest to use OmniAuth. The setup & boilerplate code is fairly easy to use.
Read more about it at http://www.omniauth.org/ & https://github.com/intridea/omniauth/wiki
Let us know, if that helped you or not.

Convert Rails Net::HTTP request to MD5 Hex Digest

In order to use a third-party API, I need to encode the Net::HTTP::Post request as an MD5 hex digest, which is then used as part of the signature. However, when I try to simply Digest::MD5.hexdigest(req), it throws a "Cannot convert to string error", and when I explicitly req.to_s, it just gives the MD5 of #<Net::HTTP::Post:0x112a0eef8>
I'm simply:
request = Net::HTTP::Post.new(url.path)
request.body = {
"key" => "val"
}.to_json
# later...
hexDigest = Digest::MD5.hexdigest(request)
which is the documented spec, I think: "[with the] JSON body containing the new information."
This is the relevant sample Java code they supply:
ByteArrayOutputStream requestOutputStream = new ByteArrayOutputStream();
httpMethod.getEntity().writeTo(requestOutputStream);
DigestUtils.md5Hex(requestOutputStream.toByteArray()).toLowerCase();
Any ideas?
Thanks!
Try to call 'to_s' method explicitly, it should help:
hexDigest = Digest::MD5.hexdigest(request.to_s)
The equivalent ruby code for those lines is:
OpenSSL::Digest::MD5.hexdigest(request.body)
httpMethod.getEntity() will return the json defined as the request body.
requestOutputStream.toByteArray() will return the array of bytes corresponding to the request body.

Resources