sign_token

in media_cdn/dualtoken.rb [89:197]


def sign_token(
  base64_key:,
  signature_algorithm:,
  start_time: nil,
  expiration_time: nil,
  full_path: nil,
  path_globs: nil,
  url_prefix: nil,
  session_id: nil,
  data: nil,
  headers: nil,
  ip_ranges: nil
)

  decoded_key = Base64.urlsafe_decode64 base64_key
  algo = signature_algorithm.downcase

  
  
  
  

  tokens = []
  to_sign = []

  
  if !full_path.nil?
    tokens.append "FullPath"
    to_sign.append "FullPath=#{full_path}"
  elsif !path_globs.nil?
    field = "PathGlobs=#{path_globs.strip}"
    tokens.append field
    to_sign.append field
  elsif !url_prefix.nil?
    field = "URLPrefix=#{base64_encode url_prefix}"
    tokens.append field
    to_sign.append field
  else
    raise ArgumentError, "User input missing: one of `url_prefix`, `full_path`, " +
                         "or `path_globs` must be specified."
  end

  
  
  unless start_time.nil?
    field = "Starts=#{start_time.utc.to_i}"
    tokens.append field
    to_sign.append field
  end

  
  expiration_time ||= Time.now.utc + 300
  field = "Expires=#{expiration_time.to_i}"
  tokens.append field
  to_sign.append field

  
  unless session_id.nil?
    field = "SessionID=#{session_id}"
    tokens.append field
    to_sign.append field
  end

  
  unless data.nil?
    field = "Data=#{data}"
    tokens.append field
    to_sign.append field
  end

  
  unless headers.nil?
    tokens.append "Headers=#{header_names headers}"
    to_sign.append "Headers=#{header_pairs headers}"
  end

  
  unless ip_ranges.nil?
    field = "IPRanges=#{base64_encode ip_ranges}"
    tokens.append field
    to_sign.append field
  end

  
  to_sign_bytes = to_sign.join "~".encode "utf-8"

  
  case algo
  when :ed25519
    digest = Ed25519::SigningKey.new(decoded_key).sign(to_sign_bytes)
    signature = base64_encode digest
    tokens.append "Signature=#{signature}"
  
  when :sha256
    digest = OpenSSL::HMAC.hexdigest "SHA256", decoded_key, to_sign_bytes
    signature = digest.encode "utf-8"
    tokens.append "hmac=#{signature}"
  
  when :sha1
    digest = OpenSSL::HMAC.hexdigest "SHA1", decoded_key, to_sign_bytes
    signature = digest.encode "utf-8"
    tokens.append "hmac=#{signature}"
  else
    raise ArgumentError, "Input missing error: `signature_algorithm` can only be" +
                         " one of `:sha1`, `:sha256`, or `:ed25519`."
  end
  tokens.join "~"
end