NAME

AWS::SNS::Verify - Verifies authenticity of SNS messages.

VERSION

version 0.0105

SYNOPSIS

my $body = request->body; # example fetch raw body from Dancer
my $sns = AWS::SNS::Verify->new(body => $body);
if ($sns->verify) {
    return $sns->message;
}

DESCRIPTION

This module will parse a message from Amazon Simple Notification Service and validate its signature. This way you know the message came from AWS and not some third-party. More info here: http://docs.aws.amazon.com/sns/latest/dg/SendMessageToHttp.verify.signature.html.

METHODS

new

Constructor.

body

Required. JSON string posted by AWS SNS. Looks like:

{
   "Type" : "Notification",
   "MessageId" : "a890c547-5d98-55e2-971d-8826fff56413",
   "TopicArn" : "arn:aws:sns:us-east-1:041977924901:foo",
   "Subject" : "test subject",
   "Message" : "test message",
   "Timestamp" : "2015-02-20T20:59:25.401Z",
   "SignatureVersion" : "1",
   "Signature" : "kzi3JBQz64uFAXG9ZuAwPI2gYW5tT7OF83oeHb8v0/XRPsy0keq2NHTCpQVRxCgPOJ/QUB2Yl/L29/W4hiHMo9+Ns0hrqyasgUfjq+XkVR1WDuYLtNaEA1vLnA0H9usSh3eVVlLhpYzoT4GUoGgstRVvFceW2QVF9EYUQyromlcbOVtVpKCEINAvGEEKJNGTXQQUkPUka3YMhHitgQg1WlFBmf+oweSYUEj8+RoguWsn6vluxD0VtIOGOml5jlUecfhDqnetF5pUVYMqCHPfHn6RBguiW+XD6XWsdKKxkjqo90a65Nlb72gPSRw6+sIEIgf4J39WFZK+FCpeSm0qAg==",
   "SigningCertURL" : "https://sns.us-east-1.amazonaws.com/SimpleNotificationService-d6d679a1d18e95c2f9ffcf11f4f9e198.pem",
   "UnsubscribeURL" : "https://sns.us-east-1.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-east-1:041977924901:foo:20b2d060-2a32-4506-9cb0-24b8b9e605e1",
   "MessageAttributes" : {
       "AWS.SNS.MOBILE.MPNS.Type" : {"Type":"String","Value":"token"},
       "AWS.SNS.MOBILE.WNS.Type" : {"Type":"String","Value":"wns/badge"},
       "AWS.SNS.MOBILE.MPNS.NotificationClass" : {"Type":"String","Value":"realtime"}
   }
}
certificate_string

By default AWS::SNS::Verify will fetch the certificate string by issuing an HTTP GET request to SigningCertURL. The SigningCertURL in the message must be a AWS SNS endpoint.

If you wish to use a cached version, then pass it in.

validate_signing_cert_url (default: true)

If you're using a fake SNS server in your local test environment, the SigningCertURL won't be an AWS endpoint. If so, set validate_signing_cert_url to 0.

Don't ever do this in any kind of Production environment.

verify

Returns a 1 on success, or die with an Ouch on a failure.

message

Returns a hash reference of the decoded body that was passed in to the constructor.

certificate_string

If you want to cache the certificate in a local cache, then get it using this method.

decode_signature

You should never need to call this, it decodes the base64 signature.

fetch_certificate

You should never need to call this, it fetches the signing certificate.

generate_signature_string

You should never need to call this, it generates the signature string required to verify the request.

valid_cert_url

You should never need to call this, it checks the validity of the certificate signing URL per https://github.com/aws/aws-php-sns-message-validator/blob/master/src/MessageValidator.php#L22

REQUIREMENTS

Requires Perl 5.12 or higher and these modules:

  • Ouch

  • JSON

  • HTTP::Tiny

  • MIME::Base64

  • Moo

  • Crypt::OpenSSL::RSA

  • Crypt::OpenSSL::X509

SUPPORT

Repository

http://github.com/rizen/AWS-SNS-Verify

Bug Reports

http://github.com/rizen/AWS-SNS-Verify/issues

AUTHOR

JT Smith <jt_at_plainblack_dot_com>

LEGAL

AWS::SNS::Verify is Copyright 2015 Plain Black Corporation (http://www.plainblack.com) and is licensed under the same terms as Perl itself.