|
| 1 | +package com.vailsys.freeclimb; |
| 2 | + |
| 3 | +import java.io.UnsupportedEncodingException; |
| 4 | +import java.net.URLDecoder; |
| 5 | +import java.util.Arrays; |
| 6 | +import java.util.List; |
| 7 | +import java.util.ArrayList; |
| 8 | +import java.util.Date; |
| 9 | + |
| 10 | +import javax.crypto.Mac; |
| 11 | +import javax.crypto.spec.SecretKeySpec; |
| 12 | + |
| 13 | +import com.vailsys.freeclimb.api.FreeClimbException; |
| 14 | +import org.apache.commons.codec.binary.Hex; |
| 15 | + |
| 16 | +public class Utils { |
| 17 | + /** |
| 18 | + * Verify a request's signature |
| 19 | + * |
| 20 | + * @param requestBody The request's body |
| 21 | + * @param signatureHeader The request's `freeclimb-signature` header |
| 22 | + * @param signingSecret A signing secret from the FreeClimb account |
| 23 | + * @param tolerance Acceptable duration threshold represented in |
| 24 | + * milliseconds, defaulting to 5 minutes when not |
| 25 | + * provided |
| 26 | + * @throws FreeClimbException upon failed verification |
| 27 | + */ |
| 28 | + public static void verifyRequest(String requestBody, String signatureHeader, String signingSecret, int tolerance) throws FreeClimbException { |
| 29 | + String[] values = signatureHeader.split(","); |
| 30 | + |
| 31 | + long time = 0; |
| 32 | + List<String> v1 = new ArrayList<String>(); |
| 33 | + for (String queryString : values) { |
| 34 | + try { |
| 35 | + final int idex =queryString.indexOf("="); |
| 36 | + String key = idex > 0 |
| 37 | + ? URLDecoder.decode(queryString.substring(0, idex), "UTF-8") |
| 38 | + : queryString; |
| 39 | + String value = (idex > 0) && (queryString.length() > idex + 1) |
| 40 | + ? queryString.substring(idex + 1) |
| 41 | + : null; |
| 42 | + if (key.equals("t")) { |
| 43 | + time = Long.parseLong(value); |
| 44 | + } |
| 45 | + if (key.equals("v1")) { |
| 46 | + v1.add(value); |
| 47 | + } |
| 48 | + } catch (UnsupportedEncodingException e) { |
| 49 | + throw new FreeClimbException(e); |
| 50 | + } |
| 51 | + } |
| 52 | + |
| 53 | + long currentTime = new Date().getTime(); |
| 54 | + long signatureAge = currentTime - (time*1000); |
| 55 | + if (tolerance < signatureAge) { |
| 56 | + throw new FreeClimbException(String.format("Request rejected - signature's timestamp failed against current tolerance of %2d milliseconds. Signature age: %2d milliseconds", tolerance, signatureAge)); |
| 57 | + } |
| 58 | + |
| 59 | + String data = time + "." + requestBody; |
| 60 | + try { |
| 61 | + Mac mac = Mac.getInstance("HmacSHA256"); |
| 62 | + mac.init(new SecretKeySpec(signingSecret.getBytes(), "HmacSHA256")); |
| 63 | + String hmac = Hex.encodeHexString(mac.doFinal(data.getBytes())); |
| 64 | + |
| 65 | + if (!v1.contains(hmac)) { |
| 66 | + throw new FreeClimbException(String.format("Unverified Request Signature - FreeClimb was unable to verify that this request originated from FreeClimb. If this request was unexpected, it may be from a bad actor. Please proceed with caution. If this request was expected, to fix this issue try checking for any typos or misspelling of your signing secret.")); |
| 67 | + } |
| 68 | + } catch (Exception e) { |
| 69 | + throw new FreeClimbException("Failed to calculate hmac using ", e); |
| 70 | + } |
| 71 | + } |
| 72 | + |
| 73 | + /** |
| 74 | + * Verify a request's signature |
| 75 | + * |
| 76 | + * @param requestBody The request's body |
| 77 | + * @param signatureHeader The request's `freeclimb-signature` header |
| 78 | + * @param signingSecret A signing secret from the FreeClimb account |
| 79 | + * @throws FreeClimbException upon failed verification |
| 80 | + */ |
| 81 | + public static void verifyRequest(String requestBody, String signatureHeader, String signingSecret) throws FreeClimbException { |
| 82 | + Utils.verifyRequest(requestBody, signatureHeader, signingSecret, 5*60*1000); |
| 83 | + } |
| 84 | +} |
0 commit comments