gistfile1.rb

# mixed in to Merb::Request

# Attempts to verify the request's signature using the strategy covered in signing.markdown.
      # Takes one argument, which is the authenticating client you wish to check the signature against.
      # Returns a true on success, false on fail.
      def signed?
        # Fail immediately if the request is not signed at all
        return false unless api_request? and authenticating_client
        # Prepare the verification string for comparison
        correct_sig = "#{authenticating_client.secret}#{method}#{protocol}#{host}#{uri}"
        # pop signature off the parameter list and serialize params
        p = signature_params
        correct_sig += "#{p.keys.sort}#{p.values.sort}"
        # mash and compare with given signature
        #raise RuntimeError, "wanted #{correct_sig.inspect} but was signed with #{api_signature.inspect}"
        match = Digest::SHA1.hexdigest(correct_sig) == api_signature
        #match or raise(RuntimeError, "failed to match signature, expected #{correct_sig.inspect} for parameters #{p.inspect} and uri #{full_uri.inspect}")
      end
      
      # Scrubs route parameters from the known params, returning a hash of known GET and POST parameters.
      # Basically, this returns the parameters needed in the signature key/value gibberish.
      def signature_params
        p = params.dup
        route, route_params = Merb::Router.route_for(self)
        #raise RuntimeError, route_params.inspect
        return p.delete_if {|k,v| route_params.keys.map{|s|s.to_s}.include?(k.to_s) or k.to_s == MerbAuthSliceFullfat[:api_signature_param].to_s}
      end