Boxr::WebhookValidator fails to validate V2 webhook signatures

[ryankon]

trafficstars

Describe the bug I tried running the latest version of this gem (v1.20.0) with Ruby 3.2.2 and Rails 7.1.2. With V2 webhooks, the validation fails and returns the same signature every time.

To Reproduce Steps to reproduce the behavior:

1. Create a Box V2 webhook
2. Perform the appropriate action that triggers the webhook
3. Run .valid_message? in the controller
4. Signature validation fails

Expected behavior I expect the signature validation to pass.

Screenshots N/A

Desktop (please complete the following information): N/A

Smartphone (please complete the following information): N/A

Additional context I've fixed the issue in my forked repo here: https://github.com/windrushlabs/boxr/commit/cbac55def7d8ba4153fb7804df5ca3ddb7cff33c

However, I do not know the implications of this, specifically with V1 webhooks and older Ruby versions, and the tests failed to run, though I have not yet spent time to figure out why.

[ryankon]

@xhocquet I wanted to follow up on this. As far as I can tell, webhook validation is broken completely unless this is merged. I'm running this in production via a fork currently, and everything seems to be working well. Thanks!

[xhocquet]

Hey @ryankon, sorry I haven't been able to take a look at this, we don't use Box at my job anymore so any contributions here have been on the side. No promises, but I'll keep this on my radar to see if I can get it merged + released. Thanks for the ping