Validates the HTTP request body against the signaturecek header and provided app_id.

CEK requests are signed by the server. This module verifies the signature using the published public key. If the signature is invalid, the connection state is set to 403 Forbidden and the plug pipeline is halted.

Due to the fact that the raw request body is required in order to validate the signature, this plug expects the raw request body to be available in the raw_body assign of the Plug.Conn struct. The Clova.CachingBodyReader module can be provided to the Plug.Parsers plug to prepare this data while still parsing the request body.

Usage:

plug Plug.Parsers,
  parsers: [:json],
  json_decoder: Poison,
  body_reader: Clova.CachingBodyReader.spec()
plug Clova.ValidatorPlug, app_id: "com.example.my_extension"

Options

• :app_id - The application ID as specified in the Clova Developer Center. All requests must contain this ID in the request body. If this option is not provided, the app ID validity is not checked.
• :force_signature_valid - forces the plug to consider the signature to be valid. This is intended for use in development, because only requests signed by the CEK server will validate against the default public key. Note the signature must still be present and base64-encoded.
• :public_key - override the public key used by this plug. This can be used during testing and development to validate requests generated with the corresponding private key. Alternatievely if the CEK server changes its public key, this can be used to override the default key used by this module until an updated version of this module is available.