Merge branch 'master' into add-conversations

Author: marcel corso

client.go

@@ -25,7 +25,7 @@ import (
 
 const (
 	// ClientVersion is used in User-Agent request header to provide server with API level.
-	ClientVersion = "5.0.0"
+	ClientVersion = "5.1.1"
 
 	// Endpoint points you to MessageBird REST API.
 	Endpoint = "https://rest.messagebird.com"
@@ -47,6 +47,14 @@ type Client struct {
 	DebugLog   *log.Logger  // Optional logger for debugging purposes
 }
 
+type contentType string
+
+const (
+	contentTypeEmpty          contentType = ""
+	contentTypeJSON           contentType = "application/json"
+	contentTypeFormURLEncoded contentType = "application/x-www-form-urlencoded"
+)
+
 // New creates a new MessageBird client object.
 func New(accessKey string) *Client {
 	return &Client{
@@ -67,27 +75,26 @@ func (c *Client) Request(v interface{}, method, path string, data interface{}) e
 		return err
 	}
 
-	var jsonEncoded []byte
-	if data != nil {
-		jsonEncoded, err = json.Marshal(data)
-		if err != nil {
-			return err
-		}
+	body, contentType, err := prepareRequestBody(data)
+	if err != nil {
+		return err
 	}
 
-	request, err := http.NewRequest(method, uri.String(), bytes.NewBuffer(jsonEncoded))
+	request, err := http.NewRequest(method, uri.String(), bytes.NewBuffer(body))
 	if err != nil {
 		return err
 	}
 
-	request.Header.Set("Content-Type", "application/json")
 	request.Header.Set("Accept", "application/json")
 	request.Header.Set("Authorization", "AccessKey "+c.AccessKey)
 	request.Header.Set("User-Agent", "MessageBird/ApiClient/"+ClientVersion+" Go/"+runtime.Version())
+	if contentType != contentTypeEmpty {
+		request.Header.Set("Content-Type", string(contentType))
+	}
 
 	if c.DebugLog != nil {
 		if data != nil {
-			c.DebugLog.Printf("HTTP REQUEST: %s %s %s", method, uri.String(), jsonEncoded)
+			c.DebugLog.Printf("HTTP REQUEST: %s %s %s", method, uri.String(), body)
 		} else {
 			c.DebugLog.Printf("HTTP REQUEST: %s %s", method, uri.String())
 		}
@@ -136,3 +143,22 @@ func (c *Client) Request(v interface{}, method, path string, data interface{}) e
 		return errorResponse
 	}
 }
+
+// prepareRequestBody takes untyped data and attempts constructing a meaningful
+// request body from it. It also returns the appropriate Content-Type.
+func prepareRequestBody(data interface{}) ([]byte, contentType, error) {
+	switch data := data.(type) {
+	case nil:
+		// Nil bodies are accepted by `net/http`, so this is not an error.
+		return nil, contentTypeEmpty, nil
+	case string:
+		return []byte(data), contentTypeFormURLEncoded, nil
+	default:
+		b, err := json.Marshal(data)
+		if err != nil {
+			return nil, contentType(""), err
+		}
+
+		return b, contentTypeJSON, nil
+	}
+}

group/group.go

@@ -161,10 +161,9 @@ func AddContacts(c *messagebird.Client, groupID string, contactIDs []string) err
 		return err
 	}
 
-	query := addContactsQuery(contactIDs)
-	formattedPath := fmt.Sprintf("%s/%s/%s?%s", path, groupID, contactPath, query)
+	data := addContactsData(contactIDs)
 
-	return c.Request(nil, http.MethodGet, formattedPath, nil)
+	return c.Request(nil, http.MethodPut, path+"/"+groupID+"/"+contactPath, data)
 }
 
 func validateAddContacts(contactIDs []string) error {
@@ -182,19 +181,12 @@ func validateAddContacts(contactIDs []string) error {
 	return nil
 }
 
-// addContactsQuery gets a query string to add contacts to a group. We're using
-// the alternative "/foo?_method=PUT&key=value" format to send the contact IDs
-// as GET params. Sending these in the request body would require a painful
-// workaround, as client.Request sends request bodies as JSON by default. See
-// also: https://developers.messagebird.com/docs/alternatives.
-//
-// It should also be noted that we're intentionally not using url.Values for
-// building the query string: the API expects `ids[]=foo&ids[]=bar` format,
-// while url.Values encodes to `ids=foo&ids=bar`.
-func addContactsQuery(contactIDs []string) string {
-	// Slice's length is one bigger than len(IDs) for the _method param.
-	params := make([]string, 0, len(contactIDs)+1)
-	params = append(params, "_method="+http.MethodPut)
+// addContactsData gets the data string for adding a contact to a group. We're
+// intentionally not using url.Values for building the string: the API expects
+// `ids[]=foo&ids[]=bar` format, while url.Values encodes to `ids=foo&ids=bar`.
+func addContactsData(contactIDs []string) string {
+	cap := len(contactIDs)
+	params := make([]string, 0, cap)
 
 	for _, contactID := range contactIDs {
 		params = append(params, "ids[]="+contactID)

group/group_test.go

@@ -159,6 +159,10 @@ func TestUpdate(t *testing.T) {
 
 	mbtest.AssertEndpointCalled(t, http.MethodPatch, "/groups/group-id")
 	mbtest.AssertTestdata(t, "groupRequestUpdateObject.json", mbtest.Request.Body)
+
+	if mbtest.Request.ContentType != "application/json" {
+		t.Fatalf("got %s, expected application/json", mbtest.Request.ContentType)
+	}
 }
 
 func TestAddContacts(t *testing.T) {
@@ -169,10 +173,11 @@ func TestAddContacts(t *testing.T) {
 		t.Fatalf("unexpected error removing Contacts from Group: %s", err)
 	}
 
-	mbtest.AssertEndpointCalled(t, http.MethodGet, "/groups/group-id/contacts")
+	mbtest.AssertEndpointCalled(t, http.MethodPut, "/groups/group-id/contacts")
+	mbtest.AssertTestdata(t, "groupRequestAddContactsObject.txt", mbtest.Request.Body)
 
-	if mbtest.Request.URL.RawQuery != "_method=PUT&ids[]=first-contact-id&ids[]=second-contact-id" {
-		t.Fatalf("got %s, expected _method=PUT&ids[]=first-contact-id&ids[]=second-contact-id", mbtest.Request.URL.RawQuery)
+	if mbtest.Request.ContentType != "application/x-www-form-urlencoded" {
+		t.Fatalf("got %s, expected application/x-www-form-urlencoded", mbtest.Request.ContentType)
 	}
 }
 

group/testdata/groupRequestAddContactsObject.txt

@@ -0,0 +1 @@
+ids[]=first-contact-id&ids[]=second-contact-id

internal/mbtest/test_server.go

@@ -10,9 +10,9 @@ import (
 )
 
 type request struct {
-	Body   []byte
-	Method string
-	URL    *url.URL
+	Body                []byte
+	ContentType, Method string
+	URL                 *url.URL
 }
 
 // Request contains the lastly received http.Request by the fake server.
@@ -35,8 +35,9 @@ func EnableServer(m *testing.M) {
 func initAndStartServer() {
 	server = httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		Request = request{
-			Method: r.Method,
-			URL:    r.URL,
+			ContentType: r.Header.Get("Content-Type"),
+			Method:      r.Method,
+			URL:         r.URL,
 		}
 
 		var err error

signature/signature.go

@@ -0,0 +1,138 @@
+/*
+Package signature implements signature verification for MessageBird webhooks.
+
+To use define a new validator using your MessageBird Signing key.  You can use the
+ValidRequest method, just pass the request as a parameter:
+
+    validator := signature.NewValidator("your signing key")
+    if err := validator.ValidRequest(r); err != nil {
+        // handle error
+    }
+
+Or use the handler as a middleware for your server:
+
+	http.Handle("/path", validator.Validate(YourHandler))
+
+It will reject the requests that contain invalid signatures.
+The validator uses a 5ms seconds window to accept requests as valid, to change
+this value, set the ValidityWindow to the disired duration.
+Take into account that the validity window works around the current time:
+	[now - ValidityWindow/2, now + ValidityWindow/2]
+*/
+package signature
+
+import (
+	"bytes"
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/url"
+	"strconv"
+	"time"
+)
+
+const (
+	tsHeader = "MessageBird-Request-Timestamp"
+	sHeader  = "MessageBird-Signature"
+)
+
+// ValidityWindow defines the time window in which to validate a request.
+var ValidityWindow = 5 * time.Second
+
+// StringToTime converts from Unicode Epoch encoded timestamps to the time.Time type.
+func stringToTime(s string) (time.Time, error) {
+	sec, err := strconv.ParseInt(s, 10, 64)
+	if err != nil {
+		return time.Time{}, err
+	}
+	return time.Unix(sec, 0), nil
+}
+
+// Validator type represents a MessageBird signature validator.
+type Validator struct {
+	SigningKey string // Signing Key provided by MessageBird.
+}
+
+// NewValidator returns a signature validator object.
+func NewValidator(signingKey string) *Validator {
+	return &Validator{
+		SigningKey: signingKey,
+	}
+}
+
+// validTimestamp validates if the MessageBird-Request-Timestamp is a valid
+// date and if the request is older than the validator Period.
+func (v *Validator) validTimestamp(ts string) bool {
+	t, err := stringToTime(ts)
+	if err != nil {
+		return false
+	}
+	diff := time.Now().Add(ValidityWindow / 2).Sub(t)
+	return diff < ValidityWindow && diff > 0
+}
+
+// calculateSignature calculates the MessageBird-Signature using HMAC_SHA_256
+// encoding and the timestamp, query params and body from the request:
+// signature = HMAC_SHA_256(
+//	TIMESTAMP + \n + QUERY_PARAMS + \n + SHA_256_SUM(BODY),
+//	signing_key)
+func (v *Validator) calculateSignature(ts, qp string, b []byte) ([]byte, error) {
+	var m bytes.Buffer
+	bh := sha256.Sum256(b)
+	fmt.Fprintf(&m, "%s\n%s\n%s", ts, qp, bh[:])
+	mac := hmac.New(sha256.New, []byte(v.SigningKey))
+	if _, err := mac.Write(m.Bytes()); err != nil {
+		return nil, err
+	}
+	return mac.Sum(nil), nil
+}
+
+// validSignature takes the timestamp, query params and body from the request,
+// calculates the expected signature and compares it to the one sent by MessageBird.
+func (v *Validator) validSignature(ts, rqp string, b []byte, rs string) bool {
+	uqp, err := url.Parse("?" + rqp)
+	if err != nil {
+		return false
+	}
+	es, err := v.calculateSignature(ts, uqp.Query().Encode(), b)
+	if err != nil {
+		return false
+	}
+	drs, err := base64.StdEncoding.DecodeString(rs)
+	if err != nil {
+		return false
+	}
+	return hmac.Equal(drs, es)
+}
+
+// ValidRequest is a method that takes care of the signature validation of
+// incoming requests.
+func (v *Validator) ValidRequest(r *http.Request) error {
+	ts := r.Header.Get(tsHeader)
+	rs := r.Header.Get(sHeader)
+	if ts == "" || rs == "" {
+		return fmt.Errorf("Unknown host: %s", r.Host)
+	}
+	b, _ := ioutil.ReadAll(r.Body)
+	if v.validTimestamp(ts) == false || v.validSignature(ts, r.URL.RawQuery, b, rs) == false {
+		return fmt.Errorf("Unknown host: %s", r.Host)
+	}
+	r.Body = ioutil.NopCloser(bytes.NewBuffer(b))
+	return nil
+}
+
+// Validate is a handler wrapper that takes care of the signature validation of
+// incoming requests and rejects them if invalid or pass them on to your handler
+// otherwise.
+func (v *Validator) Validate(h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if err := v.ValidRequest(r); err != nil {
+			http.Error(w, "", http.StatusUnauthorized)
+			return
+		}
+		h.ServeHTTP(w, r)
+	})
+}