Feature Request: Provide a way to verify signature and parse webhook body separately

[kyori19]

Currently, SDK offers an single entrypoint for handling webhooks: Line::Bot::V2::WebhookParser#parse(body:, signature:).
It would be nice if there are two separate APIs for "verifing signature" and "constructing event object".

We are currently handling incoming webhooks by:

1. in a Controller: Verify signature synchronously (to avoid creating many jobs by DoS from attackers)
2. in a Worker: Parse webhook body and handle event object asynchronously

To implement this, currently we have to call private API and copy SDK codes.
Please consider to expose those APIs, Thanks.

[eucyt]

@kyori19
Thank you for the suggestion. Indeed, that seems like a valid use case.

In the kind of Controller you described, you can use verify_signature() if you only want to perform signature verification.

line-bot-sdk-ruby/lib/line/bot/v2/webhook_parser.rb

Lines 71 to 75 in db15c01

	def verify_signature(body:, signature:)
	hash = OpenSSL::HMAC.digest(OpenSSL::Digest.new('SHA256'), @channel_secret, body)
	expected = Base64.strict_encode64(hash)
	variable_secure_compare(signature, expected)
	end

In the kind of Worker you mentioned, performing parsing only (without signature verification) is not currently possible. However, we are planning to add functionality that allows skipping signature verification and performing parsing only. We’d appreciate your patience while we work on this.

[Yang-33]

@kyori19 @chocoby
We're sorry for the delay. How about #664?

Do you have any feedback on the coding experience? Opinions are welcome. Feel free to leave a review comment!

[kyori19]

@Yang-33 Thank you for reaching me, I've reviewed the PR.
That would be one possible solution but I have some concern about performance overhead.
In a controller (which verifies the signature), there's no need to parse webhook body (because it won't be handled synchronously). Many objects will be discarded immediately after creation.
To avoid this problem, verify_signature method should be marked as public method.

[Yang-33]

Thank you for checking!

As far as I know, if private or protected is not explicitly specified, it should be a public method. Can't this(=verify_signature) function be called using the SDK?

Or is the issue that it's not documented due to a lack of comments?

[kyori19]

@Yang-33 As it is defined below private keyword (without any definitions in the same line), verify_signature method will be treated as private method.
To expose the method, you have to swap the order of method definition and private keyword.

line-bot-sdk-ruby/lib/line/bot/v2/webhook_parser.rb

Lines 69 to 71 in 7e80c5b

	private
	def verify_signature(body:, signature:)

[Yang-33]

oops, sorry 😓
#664 moves this down!

[chocoby]

@Yang-33
Thank you for reaching out!
The changes look good. Appreciate the quick response! 🎉

[habara-k]

@kyori19
You can use it from v2.3.0. Thank you for your feedback.

[kyori19]

Thank you for all! Closing as resolved