Detect GeoPoll AT's to: number (#88)

* Securely check GeoPoll incoming signature

This avoids timing attacks

* Log unknown GeoPoll requests parameters

To avoid losing data upon API changes

See #76

* Show GeoPoll channels in Interactions tab

* Detect GeoPoll AT's to: numbers

Fixes #76

app/controllers/geopoll_controller.rb

@@ -20,25 +20,32 @@
 class GeopollController < ApplicationController
   skip_filter :check_login
 
-  # POST /:account_name/:channel_name/:secret_token/geopoll/incoming
+  # POST /:account_name/:channel_name/geopoll/incoming
   def incoming
     account = Account.find_by_id_or_name(params[:account_name])
     channel = account.geopoll_channels.find_by_name(params[:channel_name])
     auth_token = channel.configuration[:auth_token].to_s.split(' ')[1]
     identifier = params[:Identifier]
     signature = Digest::MD5.hexdigest(auth_token + identifier)
 
-    if signature != params[:Signature]
+    if !(ActiveSupport::SecurityUtils.secure_compare params[:Signature], signature)
       return render text: "Error", status: :unauthorized
     end
 
+    unknown_params = params.except(
+      'Identifier', 'Signature', 'SourceAddress', 'TargetAddress', 'MessageText', # GeoPoll API specification
+      'account_name', 'channel_name', 'controller', 'action' # Rails-generated parameters
+    )
+
     msg = AtMessage.new
     msg.from = "sms://#{params[:SourceAddress]}"
-    msg.to   = "sms://#{channel.configuration[:from]}"
+    msg.to   = "sms://#{params[:TargetAddress]}"
     msg.body = params[:MessageText]
     msg.channel_relative_id = params[:Identifier]
     account.route_at msg, channel
 
+    channel.logger.warning :channel_id => channel.id, :at_message_id => msg.id, :message => "Received unknown parameters for AT #{msg.id}: #{unknown_params.to_json}" unless unknown_params.empty?
+
     render text: "Accepted"
   end
 
@@ -51,6 +58,11 @@ def status
       return render text: "Error", status: :not_found
     end
 
+    unknown_params = params.except(
+      'MessageId', 'Status', # GeoPoll API specification
+      'account_name', 'channel_name', 'controller', 'action' # Rails-generated parameters
+    )
+
     status = params[:Status]
     case status
       when "SUCCESS"
@@ -63,8 +75,10 @@ def status
     account.logger.info :channel_id => channel.id, :ao_message_id => ao.id,
       :message => "Recieved delivery notification with status #{status.inspect}"
 
-     ao.custom_attributes[:geopoll_status] = status if status
-     ao.save!
+    channel.logger.warning :channel_id => channel.id, :at_message_id => msg.id, :message => "Received unknown parameters for AO #{msg.id} Status: #{unknown_params.to_json}" unless unknown_params.empty?
+
+    ao.custom_attributes[:geopoll_status] = status if status
+    ao.save!
 
     render text: "Accepted"
   end

app/views/interactions/show.html.erb

@@ -110,6 +110,18 @@
     </ul>
   <%- end -%>
 
+  <%- if channels.any?{|c| c.kind == 'geopoll'} -%>
+    <div><b>Via <%= link_to 'GeoPoll', 'https://www.geopoll.com/', :target => '_blank' -%></b></div>
+    <ul>
+      <%- channels.select{|c| c.kind == 'geopoll'}.each do |channel| -%>
+        <li>Incoming Messages URL: <span class="url">POST <%= geopoll_incoming_url(:account_name => account.name, :channel_name => channel.name) -%></span>
+          create Application Terminated Messages in channel <%= channel.name %></li>
+        <li>Delivery Reports Receiver URL: <span class="url">POST <%= geopoll_status_url(:account_name => account.name, :channel_name => channel.name) -%></span>
+          receive delivery reports in channel <%= channel.name %></li>
+      <%- end -%>
+    </ul>
+  <%- end -%>
+
   <%- unless applications.empty? -%>
     <div><b>Via <%= link_to 'RSS', 'http://en.wikipedia.org/wiki/RSS', :target => '_blank' -%></b></div>
     Use <%= link_to 'Http Basic Authentication', 'http://en.wikipedia.org/wiki/Basic_access_authentication', :target => '_blank' -%> with application credentials (use "account/application" as username).