Vonage / vonage-ruby-sdk

Vonage REST API client for Ruby. API support for SMS, Voice, Text-to-Speech, Numbers, Verify (2FA) and more.
https://developer.vonage.com
Apache License 2.0
218 stars 105 forks source link

Can you give a more detailed parameters to pass for check_signature? #60

Closed fredbaa closed 7 years ago

fredbaa commented 7 years ago

I have a lot of parameters passed by the Nexmo inbound callback, and I'm not sure which parameters are needed for decryption when passing to check_signature.

timcraft commented 7 years ago

@fredbaa You need to pass a hash of all the parameters from the Nexmo callback to check_signature, including the sig parameter. Depends on what web framework you're using, but assuming you're using something Rack-based like Sinatra or Rails then request.GET should do it. The README example is currently a bit confusing because I didn't fully translate from the Python (fixed in 443327a).

fredbaa commented 7 years ago

@timcraft I'm using Rails and I tried passing on the request.query_parameters on check_signature but it still returns false. I'm not sure if the keys sent are correct or if the signature_secret Nexmo gave me is wrong.

Here's my sample parameters, please see if there are any keys not used. (Changed some values here)

{
  "msisdn":"911234567891",
  "to":"910987654321",
  "messageId":"00000BBBB0000AA",
  "text":"Test Message",
  "type":"text",
  "keyword":"TEST",
  "message-timestamp":"2016-11-17 05:16:11×tamp=1479359771",
  "nonce":"1d2bc5c9-8c0e-49e4-a247-e7953745457e",
  "sig":"ed9e5171a0852525058487c93b42ed38"
}
timcraft commented 7 years ago

@fredbaa In Rails the #query_parameters method is an alias for the #GET method so that's ok. You can contact support@nexmo.com to check the signature secret on your account. The parameters will vary depending on which callback you're getting. For SMS delivery callbacks I get: msisdn, to, network-code, messageId, price, status, scts, err-code, message-timestamp, timestamp, nonce, and sig.

The message-timestamp in your example looks suspicious. The message-timestamp should be just "2016-11-17 05:16:11", and it looks like "1479359771" should be the value of the timestamp parameter, which is missing from your example.

Have you specified the signature_secret option or NEXMO_SIGNATURE_SECRET environment variable?

fredbaa commented 7 years ago

@timcraft yes I did specify the signature_secret when initializing Nexmo client. Also contacted Nexmo support already and they confirmed that my signature_secret is correct.

The timestamp parameter also boggles me because it's appended to the message-timestamp. Though I tried extracting it and adding timestamp as separate key, but still to no avail.

By the way, the values I showed you on the previous comment is from an inbound message callback, not the delivery callback. So probably signature is created differently from a delivery callback, and an inbound message callback.

timcraft commented 7 years ago

@fredbaa Ok. The signature implementation isn't specific to any kind of callback so if it works for one callback it should work for another, assuming there isn't a bug in the API that only affects some callbacks, which is one possibility. Can you try logging request.query_string to see if that's formatted correctly or if there is an encoding problem there?

fredbaa commented 7 years ago

@timcraft

Here's my request.query_string sample:

msisdn=911234567890&to=919876543210&messageId=0B0000000000A6B1&text=Hi+again&type=text&keyword=HI&message-timestamp=2016-11-17+07%3A04%3A32%C3%97tamp=1479366272&nonce=abd80ac2-6254-46c0-8b5d-517bf5eab18e&sig=26d8d2c6b4257e3ca13c668478a631da

Except for the message-timestamp, encoding of other params seems okay. I tried extracting the message-timestamp to get the tamp field and add as a separate value in the params. Also noticed that the extra character "%C3%97" which results to a character ×. I'm not sure if that was included on creating the signature or if the message-timestamp should include it.

fredbaa commented 7 years ago

@timcraft oh wow. I tried changing the tamp parameter to timestamp and it worked perfectly. A bit of a hassle to extract the value on message-timestamp but it works now. Thanks for the help! Maybe add a note to this on your next README.md

timcraft commented 7 years ago

@fredbaa I think that's a bug in the API, not specific to this library. Checking with Nexmo to confirm.

leggetter commented 7 years ago

The expected format is:

?msisdn=441632960960&to=441632960961&messageId=000000FFFB0356D1&text=This+is+an+inbound+message&type=text&message-timestamp=2012-08-19+20%3A38%3A23

with an additional nonce parameter (which we should add to the docs). https://docs.nexmo.com/messaging/sms-api/api-reference#inbound

I've just done a test and I don't see the problem:

msisdn=NUMBER&to=NUMBER&messageId=MESSAGE_ID&text=Hello&type=text&keyword=HELLO&message-timestamp=2016-11-21+14%3A53%3A27&timestamp=1479740007&nonce=56d2c52e-dcfa-4c00-9635-c103b227bbe6&sig=SIGNATURE

Is there any chance that something in Rails is tampering with the querystring that results in message-timestamp=2016-11-17+07%3A04%3A32%C3%97tamp=1479366272?

fredbaa commented 7 years ago

@leggetter I don't think Rails is tampering with the response because this is the query string also when I tried searching the message in Nexmo dashboard. All of the inbound messages sent after the signature check was added gave the same message-timestamp value with the tamp value appended on it.

leggetter commented 7 years ago

I've seen a few comments about &times is being converted to × by frameworks and runtimes. It looks like that is what's happening here.

&timestamp -> tamp

fredbaa commented 7 years ago

Okay I see. Then I just have to handle it on the backend when this happens. Thanks for all your help @leggetter @timcraft

On Tue, 22 Nov 2016 at 12:11 AM, Phil Leggetter notifications@github.com wrote:

I've seen a few comments about &times is being converted to × by frameworks and runtimes. It looks like that is what's happening here.

&timestamp -> tamp

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/Nexmo/nexmo-ruby/issues/60#issuecomment-261982995, or mute the thread https://github.com/notifications/unsubscribe-auth/AATBIGm6_eVfI97Zh-t-PHnz7DEd8ScDks5rAcKUgaJpZM4K1I8Y .

timcraft commented 7 years ago

@fredbaa I've got inbound message callbacks working ok with Sinatra. Haven't tried with Rails yet, but I can't see anything in the query parsing code which would cause that. Could be something else in your application interfering with it perhaps. What version of Rails are you using?

Where are you seeing the issue in the dashboard exactly?

fredbaa commented 7 years ago

@timcraft tried it again, seems the problem was on the Nexmo dashboard displaying &times to ×. I added logging on the callback url for the actual parameters received, and checked again on my Rails backend and the parameters are actually intact . I'm still working in development for the signature check, and the callback url is already in production so I just use the dashboard in Nexmo to get the query string and test the parameters back on my development environment. Will use my own logs now to get the actual value received, and not in Nexmo dashboard. Sorry for this confusion, I didn't catch it the first time.

This is where i get the value for the query string (http://dashboard.nexmo.com/sms): screen shot 2016-11-22 at 12 52 08 am

timcraft commented 7 years ago

@fredbaa Ok, that makes sense. You can use something like localtunnel, ngrok, or pagekite to test the callbacks in development. Which part of the Nexmo dashboard is displaying the parameter incorrectly?

fredbaa commented 7 years ago

I added a screenshot on the above comment. It's where you search for delivery receipts and inbound messages.

timcraft commented 7 years ago

@fredbaa Got it, thanks!

@leggetter The SMS debug log is the source of the problem, I can reproduce the issue with my account. Please can you pass on to the relevant person internally so it can be fixed?