com.messagebird

Class RequestValidator

java.lang.Object

com.messagebird.RequestValidator

public class RequestValidator
extends Object

RequestValidator validates request signature signed by MessageBird services.

See Also:

Verify HTTP Requests

Field Summary

Fields

Modifier and Type	Field and Description
static String	SIGNATURE_HEADER Signature of signed request is set with header name 'MessageBird-Signature-JWT'

Constructor Summary

Constructors

Constructor and Description
RequestValidator(String signatureKey) RequestValidator validates request signature with a customer signature key.
RequestValidator(String signatureKey, boolean skipURLValidation) RequestValidator validates webhook signature with a customer signature key.

Method Summary

Modifier and Type	Method and Description
com.auth0.jwt.interfaces.DecodedJWT	validateSignature(Clock clock, String signature, String url, byte[] requestBody) Returns raw signature payload after validating a signature successfully, otherwise throws RequestValidationException.
com.auth0.jwt.interfaces.DecodedJWT	validateSignature(String signature, byte[] requestBody) Validates request signature with URL validation disabled.
com.auth0.jwt.interfaces.DecodedJWT	validateSignature(String signature, String url, byte[] requestBody) Returns raw signature payload after validating a signature successfully, otherwise throws RequestValidationException.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

SIGNATURE_HEADER

public static final String SIGNATURE_HEADER

Signature of signed request is set with header name 'MessageBird-Signature-JWT'

See Also:

Constant Field Values

Constructor Detail

RequestValidator

public RequestValidator(String signatureKey)

RequestValidator validates request signature with a customer signature key.

Parameters:

signatureKey - customer signature key. Can be retrieved through Developer Settings. This is NOT your API key.

See Also:

Verify HTTP Requests

RequestValidator

public RequestValidator(String signatureKey,
                        boolean skipURLValidation)

RequestValidator validates webhook signature with a customer signature key.

Parameters:

signatureKey - customer signature key. Can be retrieved through Developer Settings. This is NOT your API key.

skipURLValidation - whether url_hash claim validation should be skipped. Note that when true, no query parameters should be trusted.

See Also:

Verify HTTP Requests

Method Detail

validateSignature

public com.auth0.jwt.interfaces.DecodedJWT validateSignature(Clock clock,
                                                             String signature,
                                                             String url,
                                                             byte[] requestBody)
                                                      throws RequestValidationException

Returns raw signature payload after validating a signature successfully, otherwise throws RequestValidationException.

This JWT is signed with a MessageBird account unique secret key, ensuring the request is from MessageBird and a specific account. The JWT contains the following claims:

• "url_hash" - the raw URL hashed with SHA256 ensuring the URL wasn't altered.
• "payload_hash" - the raw payload hashed with SHA256 ensuring the payload wasn't altered.
• "jti" - a unique token ID to implement an optional non-replay check (NOT validated by default).
• "nbf" - the not before timestamp.
• "exp" - the expiration timestamp is ensuring that a request isn't captured and used at a later time.
• "iss" - the issuer name, always MessageBird.

Parameters:

clock - custom Clock instance to validate timestamp claims.

signature - the actual signature.

url - the raw url including the protocol, hostname and query string, https://example.com/?example=42.

requestBody - the raw request body.

Returns:

raw signature payload as DecodedJWT object.

Throws:

RequestValidationException - when the signature is invalid.

See Also:

Verify HTTP Requests

validateSignature

public com.auth0.jwt.interfaces.DecodedJWT validateSignature(String signature,
                                                             String url,
                                                             byte[] requestBody)
                                                      throws RequestValidationException

Returns raw signature payload after validating a signature successfully, otherwise throws RequestValidationException.

Parameters:

signature - the actual signature.

url - the raw url including the protocol, hostname and query string, https://example.com/?example=42.

requestBody - the raw request body.

Returns:

raw signature payload as DecodedJWT object.

Throws:

RequestValidationException - when the signature is invalid.

See Also:

validateSignature(Clock, String, String, byte[])

validateSignature

public com.auth0.jwt.interfaces.DecodedJWT validateSignature(String signature,
                                                             byte[] requestBody)
                                                      throws RequestValidationException

Validates request signature with URL validation disabled. Note that no query parameters should be trusted and this only works if RequestValidator is constructed with skipURLValidation set to true.

Parameters:

signature - the actual signature.

requestBody - the raw request body.

Returns:

raw signature payload as DecodedJWT object.

Throws:

RequestValidationException - when the signature is invalid.

See Also:

validateSignature(String, String, byte[])