Update qbo_controller.rb

2025-11-08 17:04:23 -05:00 · 2016-08-01 21:47:30 -04:00
parent c2f48d0277
commit 91110adad5
1 changed files with 38 additions and 28 deletions
--- a/app/controllers/qbo_controller.rb
+++ b/app/controllers/qbo_controller.rb
@@ -11,6 +11,9 @@
 class QboController < ApplicationController
  unloadable
  
+  require 'openssl'
+  require 'Base64'
+
  include AuthHelper
  
  before_filter :require_user, :except => :qbo_webhook
@@ -64,12 +67,16 @@ class QboController < ApplicationController
  # Quickbooks Webhook Callback
  def qbo_webhook
    
-    #TODO check the payload
+    # check the payload
    signature = request.headers['intuit-signature']
-    token = Setting.plugin_redmine_qbo['settingsWebhookToken']
+    key = Setting.plugin_redmine_qbo['settingsWebhookToken']
+    data = request.body.read
+    hash = Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new('sha256'), key, data)).strip()
    
+    # proceed if the request is good
+    if hash.eql? signature
      if request.headers['content-type'] == 'application/json'
-      data = JSON.parse(request.body.read)
+        data = JSON.parse(data)
      else
        # application/x-www-form-urlencoded
        data = params.as_json
@@ -96,6 +103,9 @@ class QboController < ApplicationController
        else
          obj.sync_by_id(id)
        end
+      else
+        render nothing: true, status: 400
+      end
    end
    
    # Record that last time we updated