Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Mandrill webhook verifier, in Ruby
class MandrillSignatureVerifier
def initialize(key, url, params, signature)
@key = key
@url = url
@params = params
@signature = signature
end
# Return true if the signature matches
def verified?
sign == @signature
end
def sign
data = @url
data += @params.sort.join
Base64.strict_encode64(
OpenSSL::HMAC.digest(
OpenSSL::Digest.new('sha1'), @key, data
)
)
end
def self.verified?(key, url, params, signature)
self.new(key, url, params, signature).verify
end
def self.sign(key, url, params)
self.new(key, url, params, nil).sign
end
end
# And here's how you'd use it, general idea from https://gist.github.com/joost/6460736 in part
class WebhooksController < ActionController::Base
WEBHOOK_KEY = "some_key" # You could also use an API request to lookup the key
before_filter :verify_request_signature
# See: http://help.mandrill.com/entries/23704122-Authenticating-webhook-requests
def verify_request_signature
verifier = MandrillParser::SignatureVerifier.new(WEBHOOK_KEY, request.url, request.request_parameters, request.headers['X-Mandrill-Signature'])
head :unauthorized unless verifier.verify
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment