SiftScience · sbogolii-sift · Dec 22, 2022 · Dec 4, 2022 · Dec 5, 2022 · Dec 8, 2022
diff --git a/build.gradle b/build.gradle
@@ -12,8 +12,8 @@ repositories {
 }
 
 compileJava {
-  sourceCompatibility = 1.7
-  targetCompatibility = 1.7
+  sourceCompatibility = 1.8
+  targetCompatibility = 1.8
 }
 
 compileTestJava {
@@ -23,11 +23,12 @@ compileTestJava {
 dependencies {
     testCompile group: 'junit', name: 'junit', version: '4.11'
     testCompile group: 'org.skyscreamer', name: 'jsonassert', version: '1.3.0'
-    testCompile group: 'com.squareup.okhttp3', name: 'mockwebserver', version: '3.4.2'
+    testCompile group: 'com.squareup.okhttp3', name: 'mockwebserver', version: '4.10.0'
     testCompile group: 'org.hamcrest', name: 'hamcrest-library', version: '1.3'
-    compile 'com.google.code.gson:gson:2.7'
-    compile 'com.squareup.okhttp3:okhttp:3.4.2'
-    compile 'com.squareup.okio:okio:1.9.0'
+    compile 'com.google.code.gson:gson:2.10'
+    compile 'com.squareup.okhttp3:okhttp:4.10.0'
+    compile 'com.squareup.okio:okio:3.2.0'
+    compile 'commons-codec:commons-codec:1.15'
 }
 
 task wrapper(type: Wrapper) {

diff --git a/src/main/java/com/siftscience/Constants.java b/src/main/java/com/siftscience/Constants.java
@@ -0,0 +1,8 @@
+package com.siftscience;
+
+public class Constants {
+
+    public static final String API_VERSION = "v205";
+    public static final String LIB_VERSION = "3.7.0";
+    public static final String USER_AGENT_HEADER = String.format("SiftScience/%s sift-java/%s", API_VERSION, LIB_VERSION);
+}
diff --git a/src/main/java/com/siftscience/SiftMerchantRequest.java b/src/main/java/com/siftscience/SiftMerchantRequest.java
@@ -11,6 +11,8 @@
 
 import java.io.IOException;
 
+import static com.siftscience.Constants.USER_AGENT_HEADER;
+
 public abstract class SiftMerchantRequest<T extends SiftMerchantResponse> {
     private final String accountId;
     FieldSet fieldSet;
@@ -43,7 +45,7 @@ protected void modifyRequestBuilder(Request.Builder builder) {
     public T send() throws IOException {
         fieldSet.validate();
 
-        Request.Builder okRequestBuilder = new Request.Builder().url(this.url());
+        Request.Builder okRequestBuilder = new Request.Builder().addHeader("User-Agent", USER_AGENT_HEADER).url(this.url());
         modifyRequestBuilder(okRequestBuilder);
         Request request = okRequestBuilder.build();
         T response = buildResponse(okClient.newCall(request).execute(), fieldSet);

diff --git a/src/main/java/com/siftscience/SiftRequest.java b/src/main/java/com/siftscience/SiftRequest.java
@@ -5,6 +5,8 @@
 
 import java.io.IOException;
 
+import static com.siftscience.Constants.USER_AGENT_HEADER;
+
 /**
  * SiftRequest is the base class for all Sift API requests. It implements the `send` method which
  * should be used by all subtypes as it provides standard error handling logic.
@@ -41,7 +43,7 @@ public T send() throws IOException {
         fieldSet.validate();
 
         // Ok now that the fieldSet is valid, construct and send the request.
-        Request.Builder okRequestBuilder = new Request.Builder().url(this.url());
+        Request.Builder okRequestBuilder = new Request.Builder().addHeader("User-Agent", USER_AGENT_HEADER).url(this.url());
         modifyRequestBuilder(okRequestBuilder);
         Request request = okRequestBuilder.build();
         T response = buildResponse(okClient.newCall(request).execute(), fieldSet);

diff --git a/src/main/java/com/siftscience/utils/WebhookValidator.java b/src/main/java/com/siftscience/utils/WebhookValidator.java
@@ -0,0 +1,24 @@
+package com.siftscience.utils;
+
+import org.apache.commons.codec.digest.HmacAlgorithms;
+import org.apache.commons.codec.digest.HmacUtils;
+
+public class WebhookValidator {
+    private static final String  SHA1 = "sha1=";
+    private static final String  SHA256 = "sha256=";
+
+    /**
+     *
+     * @param siftScienceSignature value of the 'X-Sift-Science-Signature' signature in the http header of the webhook request.
+     * @param requestBody body of the webhook request
+     * @param secretKey sift webhook secret key
+     * @return true, if the webhook request received is coming from Sift
+     */
+
+    public static boolean isValidWebhook(String siftScienceSignature, String requestBody, String secretKey) {
+        String verificationSignature_Sha1 = SHA1 + new HmacUtils(HmacAlgorithms.HMAC_SHA_1, secretKey.getBytes()).hmacHex(requestBody);
+        String verificationSignature_Sha256 = SHA256 + new HmacUtils(HmacAlgorithms.HMAC_SHA_256, secretKey.getBytes()).hmacHex(requestBody);
+
+        return siftScienceSignature.equals(verificationSignature_Sha1) || siftScienceSignature.equals(verificationSignature_Sha256);
+    }
+}
diff --git a/src/test/java/com/siftscience/SiftRequestTest.java b/src/test/java/com/siftscience/SiftRequestTest.java
@@ -0,0 +1,43 @@
+package com.siftscience;
+
+import com.siftscience.model.ApplyDecisionFieldSet;
+import okhttp3.OkHttpClient;
+import okhttp3.mockwebserver.MockResponse;
+import okhttp3.mockwebserver.MockWebServer;
+import okhttp3.mockwebserver.RecordedRequest;
+import org.junit.Assert;
+import org.junit.Test;
+import static java.net.HttpURLConnection.HTTP_OK;
+
+public class SiftRequestTest {
+
+    @Test
+    public void testUserAgentHeader() throws Exception {
+        MockWebServer server = new MockWebServer();
+        MockResponse response = new MockResponse();
+        response.setResponseCode(HTTP_OK);
+
+        server.enqueue(response);
+        server.start();
+        String userId = "a_user_id";
+
+        // Create a new client and link it to the mock server.
+        SiftClient client = new SiftClient("YOUR_API_KEY", "YOUR_ACCOUNT_ID",
+                new OkHttpClient.Builder()
+                        .addInterceptor(OkHttpUtils.urlRewritingInterceptor(server))
+                        .build());
+
+        // Build and execute the request against the mock server.
+        ApplyDecisionRequest request = client.buildRequest(
+                new ApplyDecisionFieldSet()
+                        .setUserId(userId)
+                        .setTime(System.currentTimeMillis()));
+
+        request.send();
+
+        // Verify the request.
+        RecordedRequest recordedRequest = server.takeRequest();
+        Assert.assertEquals("SiftScience/v205 sift-java/3.7.0", recordedRequest.getHeader("User-Agent"));
+    }
+
+}
diff --git a/src/test/java/com/siftscience/utils/WebhookValidatorTest.java b/src/test/java/com/siftscience/utils/WebhookValidatorTest.java
@@ -0,0 +1,68 @@
+package com.siftscience.utils;
+
+import org.apache.commons.codec.digest.HmacAlgorithms;
+import org.apache.commons.codec.digest.HmacUtils;
+import org.junit.Assert;
+import org.junit.Test;
+
+import static com.siftscience.utils.WebhookValidator.isValidWebhook;
+
+public class WebhookValidatorTest {
+
+    @Test
+    public void testWebhookValidation_sha1() {
+
+        final String secretKey = "1d708fe409f22591";
+        final String requestBody = "{\n" +
+                "  \"entity\": {\n" +
+                "    \"type\": \"user\",\n" +
+                "    \"id\": \"USER123\"\n" +
+                "  },\n" +
+                "  \"decision\": {\n" +
+                "    \"id\": \"block_user_payment_abuse\"\n" +
+                "  },\n" +
+                "  \"time\": 1461963439151\n" +
+                "}";
+        final String signature = "sha1=" + new HmacUtils(HmacAlgorithms.HMAC_SHA_1, secretKey).hmacHex(requestBody);
+
+        Assert.assertTrue(isValidWebhook(signature, requestBody, secretKey));
+    }
+
+    @Test
+    public void testWebhookValidation_sha256() {
+
+        final String secretKey = "1d708fe409f22591";
+        final String requestBody = "{\n" +
+                "  \"entity\": {\n" +
+                "    \"type\": \"user\",\n" +
+                "    \"id\": \"USER123\"\n" +
+                "  },\n" +
+                "  \"decision\": {\n" +
+                "    \"id\": \"block_user_payment_abuse\"\n" +
+                "  },\n" +
+                "  \"time\": 1461963439151\n" +
+                "}";
+        final String signature = "sha256=" + new HmacUtils(HmacAlgorithms.HMAC_SHA_256, secretKey.getBytes()).hmacHex(requestBody);
+
+        Assert.assertTrue(isValidWebhook(signature, requestBody, secretKey));
+    }
+
+    @Test
+    public void testWebhookValidationForInvalidSecretKey() {
+
+        final String secretKey = "1d708fe409f22591";
+        final String requestBody = "{\n" +
+                "  \"entity\": {\n" +
+                "    \"type\": \"user\",\n" +
+                "    \"id\": \"USER123\"\n" +
+                "  },\n" +
+                "  \"decision\": {\n" +
+                "    \"id\": \"block_user_payment_abuse\"\n" +
+                "  },\n" +
+                "  \"time\": 1461963439151\n" +
+                "}";
+        final String signature = "sha1=" + new HmacUtils(HmacAlgorithms.HMAC_SHA_1, secretKey.getBytes()).hmacHex(requestBody);
+
+        Assert.assertFalse(isValidWebhook(signature, requestBody, "invalid key"));
+    }
+}