Merge pull request #91 from BloomAndWild/master

marcelcorso · web-flow · commit 8c09d21f396b · 2025-04-09T08:22:14.000+02:00
Add support for ruby-jwt v2.6.0 and above, bump development deps, new Ruby vers
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -11,8 +11,8 @@ jobs:
 
     strategy:
       matrix:
-        ruby-version: [ "3.0.3", "3.1.1" ]
-    
+        ruby-version: [ "3.0.7", "3.1.6", "3.2.6", "3.3.7", "3.4.1" ]
+
     steps:
     - uses: actions/checkout@v2
 
diff --git a/lib/messagebird/request_validator.rb b/lib/messagebird/request_validator.rb
@@ -71,14 +71,14 @@ def decode_signature(signature)
 
     def validate_url(url, url_hash)
       expected_url_hash = Digest::SHA256.hexdigest url
-      unless JWT::SecurityUtils.secure_compare(expected_url_hash, url_hash)
+      unless secure_compare(expected_url_hash, url_hash)
         raise ValidationError, 'invalid jwt: claim url_hash is invalid'
       end
     end
 
     def validate_payload(body, payload_hash)
       if !body.to_s.empty? && !payload_hash.to_s.empty?
-        unless JWT::SecurityUtils.secure_compare(Digest::SHA256.hexdigest(body), payload_hash)
+        unless secure_compare(Digest::SHA256.hexdigest(body), payload_hash)
           raise ValidationError, 'invalid jwt: claim payload_hash is invalid'
         end
       elsif !body.to_s.empty?
@@ -87,5 +87,15 @@ def validate_payload(body, payload_hash)
         raise ValidationError, 'invalid jwt: claim payload_hash is set but actual payload is missing'
       end
     end
+
+    # Adaption of https://github.com/rails/rails/blob/cf6ff17e9a3c6c1139040b519a341f55f0be16cf/activesupport/lib/active_support/security_utils.rb#L33
+    # Copied here so as to avoid adding a dependency on ActiveSupport to this gem
+    #
+    # Note that unlike `fixed_length_secure_compare` in the above url we don't fall back to a custom implementation
+    # of fixed_length_secure_compare, since OpenSSL.fixed_length_secure_compare is present in OpenSSL 2.2
+    # https://github.com/ruby/openssl/blob/master/History.md#version-220 which is included in Ruby 3.0 and above
+    def secure_compare(first, second)
+      first.bytesize == second.bytesize && OpenSSL.fixed_length_secure_compare(first, second)
+    end
   end
 end
diff --git a/messagebird-rest.gemspec b/messagebird-rest.gemspec
@@ -23,7 +23,10 @@ Gem::Specification.new do |s|
   s.files        = Dir.glob('lib/**/*') + %w(LICENSE README.md)
   s.require_path = 'lib'
 
-  s.add_dependency "jwt",  "~> 2.3"
+  # This code works with at least version 3.0.0.beta1 of jwt,
+  # so we are supporting up to version 4 to help reduce
+  # the necessity for future version bumps
+  s.add_dependency "jwt",  "< 4"
 
   s.add_development_dependency "rspec", "~> 3.11.0"
   s.add_development_dependency "rubocop", "~> 1.26.1"
