我想了解如何使用 Ruby 验证 Paddle webhook? 他们的示例提供了如何使用 PHP、Python 和 JavaScript 来实现这一点的选项,但没有 Ruby。 关于如何实现它有什么想法吗?
以下旧示例不起作用:
require 'base64'
require 'php_serialize'
require 'openssl'
public_key = '-----BEGIN PUBLIC KEY-----
MIICIjANBgkqh...'
# 'data' represents all of the POST fields sent with the request.
# Get the p_signature parameter & base64 decode it.
signature = Base64.decode64(data['p_signature'])
# Remove the p_signature parameter
data.delete('p_signature')
# Ensure all the data fields are strings
data.each {|key, value|data[key] = String(value)}
# Sort the data
data_sorted = data.sort_by{|key, value| key}
# and serialize the fields
# serialization library is available here: https://github.com/jqr/php-serialize
data_serialized = PHP.serialize(data_sorted, true)
# verify the data
digest = OpenSSL::Digest::SHA1.new
pub_key = OpenSSL::PKey::RSA.new(public_key).public_key
verified = pub_key.verify(digest, signature, data_serialized)
if verified
puts "Yay! Signature is valid!"
else
puts "The signature is invalid!"
end
这是 JS 中的他们的例子:
// Node.js & Express implementation
const express = require('express');
const querystring = require('querystring');
const crypto = require('crypto');
const Serialize = require('php-serialize');
const router = express.Router();
const pubKey = `-----BEGIN PUBLIC KEY-----
...
-----END PUBLIC KEY-----`
function ksort(obj){
let keys = Object.keys(obj).sort();
let sortedObj = {};
for (var i in keys) {
sortedObj[keys[i]] = obj[keys[i]];
}
return sortedObj;
}
function validateWebhook(jsonObj) {
const mySig = Buffer.from(jsonObj.p_signature, 'base64');
delete jsonObj.p_signature;
// Need to serialize array and assign to data object
jsonObj = ksort(jsonObj);
for (var property in jsonObj) {
if (jsonObj.hasOwnProperty(property) && (typeof jsonObj[property]) !== "string") {
if (Array.isArray(jsonObj[property])) { // is it an array
jsonObj[property] = jsonObj[property].toString();
} else { //if its not an array and not a string, then it is a JSON obj
jsonObj[property] = JSON.stringify(jsonObj[property]);
}
}
}
const serialized = Serialize.serialize(jsonObj);
// End serialize data object
const verifier = crypto.createVerify('sha1');
verifier.update(serialized);
verifier.end();
let verification = verifier.verify(pubKey, mySig);
if (verification) {
return 'Yay! Signature is valid!';
} else {
return 'The signature is invalid!';
}
}
/* Validate a Paddle webhook to this endpoint, or wherever in your app you are listening for Paddle webhooks */
router.post('/', function(req, res, next) {
res.send(validateWebhook(req.body));
});
module.exports = router;
如何使用 Ruby 验证 Webhook?是否有其他方法来验证 webhook?
这是一个 Webhook 请求示例:
(
[alert_name] => subscription_created
[cancel_url] => https://checkout.paddle.com/subscription/cancel?user=4&subscription=8&hash=b0bd354fexamplec39b0ff93c917804acf
[checkout_id] => 1-61ff5b400-756ea301a9
[currency] => USD
[email] => [email protected]
[event_time] => 2019-08-10 18:33:58
[marketing_consent] =>
[next_bill_date] => 2019-08-18
[passthrough] => 1132
[quantity] => 67
[status] => active
[subscription_id] => 4
[subscription_plan_id] => 5
[unit_price] => unit_price
[update_url] => https://checkout.paddle.com/subscription/update?user=5&subscription=4&hash=e937ed03f1637e45d912f4f4d293a
[user_id] => 6
[p_signature] => HM2Isn1k6Sy1cKySQGoFH...
)
编辑:
我正在使用 Ruby 2.5.5 和 Ruby on Rails 5。目前最终仍然总是“错误”。我将在我的控制台上查看它:
这是我在 Rails 中获得的(假)数据:
data = {
"alert_id"=>"1",
"alert_name"=>"alert_created",
"cancel_url"=>"https://...",
"checkout_id"=>"1",
"user_id"=>"1",
"p_signature"=>"fwWXqR9C..."
}
public_key = '-----BEGIN PUBLIC KEY-----sDFKJSD2332FKJLWJF......'
然后我执行以下操作:
signature = Base64.decode64(data['p_signature'])
data.delete('p_signature')
data.each {|key, value|data[key] = String(value)}
data_sorted = data.sort_by{|key, value| key}
data_serialized = data_sorted.to_json
digest = OpenSSL::Digest::SHA1.new
pub_key = OpenSSL::PKey::RSA.new(public_key)
verified = pub_key.verify(digest, signature, data_serialized)
最终已验证始终是假。我究竟做错了什么?
您提到的 Ruby 示例不起作用,因为您需要获取数据变量。这必须从控制器发送到处理请求的某个类。
试试这个:
在routes.rb中
get 'check', to: 'test#check'在控制器中
class TestController < ApplicationController
def check
verification = SignatureVerifier.new(check_params.as_json)
if verification
#... do something
end
end
private
def check_params
params.permit.all
end
end
在验证者类中
require 'base64'
require 'json'
require 'openssl'
class SignatureVerifier
def initialize(data)
@data = data
@public_key_path = '/path/to/file'
end
#data = {
# "alert_name": "payment_succeeded",
# "balance_currency": "USD",
# "balance_earnings": 355.05,
# "balance_fee": 177.36,
# "balance_gross": 180.85,
# "balance_tax": 433.43,
# "checkout_id": "4-601ee0e3d793922-ab8910b010",
# "currency": "USD",
# "customer_name": "customer_name",
# "earnings": 292.87,
# "product_name": "Example",
# "quantity": 12,
# "p_signature": "dl8PN7OrxiYHSJzT3CLUDlElodOE2j8puZkDNPHX9rZnTgig123f4KhtUXZT/HjbU5D7g/PZggxSCt9YrMcWrbSkfINJROTb+YrlhYKAVyTbmMWJV8u+YU6VcGNkhcGK7tIZNBJuaKMBrByrYA14gR3TvMjgXbQWNSFJ8LgJKMWoovbpuOkQwzkKze4vavt3WhElW0izPZwpiqVWTVXAlIvDxHTNT+sS1jXqAHdoli6sVblQQtAujSxdGm2OXB92yifcV0oHhrsqt8rCk1TzJOqsVrhQz1lqSYsbdhlM40QPHM7nHPGe5RITly4t8BjsuCB+V1aeof3N5A0ZDk+2M2Cox6S+vEahEdbW8QdecIKN12SMAYI5kx9zMMiUZ9XZqqC6orXE3uVAcTvMwiTRDDmEVr1HtsBZRo/Ykg7+fMYPc/o7rDpA16/EIOcce1zp+vgilL6rSxIuMFfWlP9qxzrV1MtcmQa86NxEU0GJtebkhehXZfh/eDCAjysmrrBM5xkqE19M+Ye4jZCRTzQTHyDJxjdNYefk7bVfivwRI606JJCGYUMTD6NIsn4rinw2SxKkZquqjTykcob5gn3HH+0AxyjuDj7fsLyqEl3gE9tgo/oMKRBy+zsYzQk4v291sh2PbUfH36W4aL4YYztlsarfMIBWqJshc8rf0RL3pAM="
#}
def verify
data = @data
signature = Base64.decode64(data[:p_signature])
# Remove the p_signature parameter
data.delete(:p_signature)
# Ensure all the data fields are strings
data.each {|key, value|data[key] = String(value)}
# Sort the data
data_sorted = data.sort_by{|key, value| key}
# Serialized with JSON library
data_serialized = data_sorted.to_json
# verify the data
digest = OpenSSL::Digest::SHA1.new
pub_key = OpenSSL::PKey::RSA.new(File.read(@public_key_path))
verified = pub_key.verify(digest, signature, data_serialized)
verified
end
end
以防这对将来的任何人有帮助。以下代码解决了我的问题。
[1] 将其添加到处理 API 集成/webhooks 的控制器类中:
# main Paddle end-point for paddle generated webhook events
def paddle
if PaddleWebhooks.verify_paddle_authenticity(params.as_json)
msg= 'Yay! Signature is valid!:' + params.to_s
else
msg= 'The signature is invalid!:' + params.to_s
end
render json: msg.to_json, status: :ok
end
Paddle 期望 Webhooks 处理程序返回状态代码 200 (:ok)。我们还添加了要返回到 Paddle 的 webhook 模拟器的消息,以便您可以检查从它们收到的内容(及其结构)。一旦您投入生产,您当然可以删除它。
[2] 将 php_serialize gem 添加到您的 gemfile
# Use for verifying Paddle's webhooks
gem "php-serialize"
[3]创建支持类:
class PaddleWebhooks
require 'base64'
require 'php_serialize'
require 'openssl'
def self.verify_paddle_authenticity(data)
// PADDLE_PUBLIC_KEY should have your paddle provided key as a single line
// and without the "-----BEGIN PUBLIC KEY-----" and
// "-----END PUBLIC KEY-----" strings
public_key =ENV['PADDLE_PUBLIC_KEY']
signature = Base64.decode64(data['p_signature'])
# Remove the p_signature parameter as per Paddle's instructions
data.delete('p_signature')
# Remove also from the data the controller and action (key,value) pairs
data.delete('controller')
data.delete('action')
# Ensure all the data fields are strings
data.each {|key, value|data[key] = String(value)}
# Sort the data
data_sorted = data.sort_by{|key, value| key}
# Serialized with JSON library
data_serialized = PHP.serialize(data_sorted, true)
# verify the data
digest = OpenSSL::Digest::SHA1.new
pub_key = OpenSSL::PKey::RSA.new(Base64.decode64(public_key))
verified = pub_key.verify(digest, signature, data_serialized)
verified
end
end
我在 Rails 中使用我的 webhook 端点执行了此操作。
def paid
begin
timestamp, signature = request.headers['Paddle-Signature'].split(';').map { |part| part.split('=')[1] }
# Build signed payload
signed_payload = "#{timestamp}:#{request.raw_post}"
# Hash signed payload
computed_signature = OpenSSL::HMAC.hexdigest('sha256', AppConfig.paddle.endpoint_secret_key, signed_payload)
# Compare signatures
unless ActiveSupport::SecurityUtils.secure_compare(signature, computed_signature)
raise StandardError, "Paddle-Signature does not match with computed signature"
end
request_body = JSON.parse(request.body.read)
service_id = request_body["data"]["custom_data"]["serviceId"]
service = Service.find_by(id: service_id)
service.paid!
service.update_columns(paddle_tx_id: request_body["data"]["id"])
rescue => e
data = { notification_id: request_body["data"]["notification_id"] } if request_body&.dig("data", "notification_id")
data ||= request_body
ExceptionNotifier.notify_exception(e, data: data)
ensure
head :ok
end
end
我只是确保如果出现问题,我会收到一封通知电子邮件。