54 lines
1.7 KiB
Ruby
54 lines
1.7 KiB
Ruby
class Webhooks::TiktokController < ActionController::API
|
|
before_action :verify_signature!
|
|
|
|
def events
|
|
event = JSON.parse(request_payload)
|
|
if echo_event?
|
|
# Add delay to prevent race condition where echo arrives before send message API completes
|
|
# This avoids duplicate messages when echo comes early during API processing
|
|
::Webhooks::TiktokEventsJob.set(wait: 2.seconds).perform_later(event)
|
|
else
|
|
::Webhooks::TiktokEventsJob.perform_later(event)
|
|
end
|
|
|
|
head :ok
|
|
end
|
|
|
|
private
|
|
|
|
def request_payload
|
|
@request_payload ||= request.body.read
|
|
end
|
|
|
|
def verify_signature!
|
|
signature_header = request.headers['Tiktok-Signature']
|
|
client_secret = GlobalConfigService.load('TIKTOK_APP_SECRET', nil)
|
|
received_timestamp, received_signature = extract_signature_parts(signature_header)
|
|
|
|
return head :unauthorized unless client_secret && received_timestamp && received_signature
|
|
|
|
signature_payload = "#{received_timestamp}.#{request_payload}"
|
|
computed_signature = OpenSSL::HMAC.hexdigest('SHA256', client_secret, signature_payload)
|
|
|
|
return head :unauthorized unless ActiveSupport::SecurityUtils.secure_compare(computed_signature, received_signature)
|
|
|
|
# Check timestamp delay (acceptable delay: 5 seconds)
|
|
current_timestamp = Time.current.to_i
|
|
delay = current_timestamp - received_timestamp
|
|
|
|
return head :unauthorized if delay > 5
|
|
end
|
|
|
|
def extract_signature_parts(signature_header)
|
|
return [nil, nil] if signature_header.blank?
|
|
|
|
keys = signature_header.split(',')
|
|
signature_parts = keys.map { |part| part.split('=') }.to_h
|
|
[signature_parts['t']&.to_i, signature_parts['s']]
|
|
end
|
|
|
|
def echo_event?
|
|
params[:event] == 'im_send_msg'
|
|
end
|
|
end
|