class Api::V1::Widget::ContactsController < Api::V1::Widget::BaseController include WidgetHelper before_action :validate_hmac, only: [:set_user] def show; end def update identify_contact(@contact) end def set_user contact = nil if a_different_contact? @contact_inbox, @widget_auth_token = build_contact_inbox_with_token(@web_widget) contact = @contact_inbox.contact else contact = @contact end @contact_inbox.update(hmac_verified: true) if should_verify_hmac? && valid_hmac? identify_contact(contact) end # TODO : clean up this with proper routes delete contacts/custom_attributes def destroy_custom_attributes @contact.custom_attributes = @contact.custom_attributes.excluding(params[:custom_attributes]) @contact.save! render json: @contact end private def identify_contact(contact) contact_identify_action = ContactIdentifyAction.new( contact: contact, params: permitted_params.to_h.deep_symbolize_keys ) @contact = contact_identify_action.perform end def a_different_contact? @contact.identifier.present? && @contact.identifier != permitted_params[:identifier] end def validate_hmac return unless should_verify_hmac? render json: { error: 'HMAC failed: Invalid Identifier Hash Provided' }, status: :unauthorized unless valid_hmac? end def should_verify_hmac? return false if params[:identifier_hash].blank? && !@web_widget.hmac_mandatory # Taking an extra caution that the hmac is triggered whenever identifier is present return false if params[:custom_attributes].present? && params[:identifier].blank? true end def valid_hmac? params[:identifier_hash] == OpenSSL::HMAC.hexdigest( 'sha256', @web_widget.hmac_token, params[:identifier].to_s ) end def permitted_params params.permit(:website_token, :identifier, :identifier_hash, :email, :name, :avatar_url, :phone_number, custom_attributes: {}, additional_attributes: {}) end end