Ensure that signature is sent before files

Closes #51

lib/transloadit/request.rb

@@ -139,11 +139,22 @@ def to_payload(payload = nil)
     return {} if payload.nil?
     return {} if payload.respond_to?(:empty?) && payload.empty?
 
-    # TODO: refactor this, don't update a hash that's not ours
-    payload.update params: MultiJson.dump(payload[:params])
-    payload.update signature: signature(payload[:params])
-    payload.delete :signature if payload[:signature].nil?
-    payload
+    # Create a new hash with JSONified params and a signature if a secret was provided.
+    # Note: We first set :params and :signature to ensure that these are the first fields
+    # in the multipart requests, before any file. Otherwise, a signature will only be transmitted
+    # after all files have been uploaded. The order of the fields in a multipart request
+    # follows the order of the entries in the returned hash here.
+    # See https://github.com/transloadit/ruby-sdk/issues/51
+    new_payload = {
+      :params => MultiJson.dump(payload[:params])
+    }
+    sig = signature(new_payload[:params])
+    new_payload[:signature] = sig unless sig.nil?
+
+    # Copy all values, excluding :params and :signature keys.
+    new_payload.update payload.reject { |key, _| key == :params || key == :signature }
+
+    new_payload
   end
 
   #

test/unit/transloadit/test_assembly.rb

@@ -49,6 +49,40 @@
       end
     end
 
+    describe "with a secret" do
+      include WebMock::API
+
+      before do
+        WebMock.reset!
+        stub_request(:post, "https://api2.transloadit.com/assemblies")
+          .to_return(body: '{"ok":"ASSEMBLY_COMPLETED"}')
+      end
+
+      after do
+        WebMock.reset!
+      end
+
+      it "must send the signature before any file" do
+        transloadit = Transloadit.new(key: "", secret: "foo")
+        Transloadit::Assembly.new(
+          transloadit
+        ).create! open("lib/transloadit/version.rb")
+
+        assert_requested(:post, "https://api2.transloadit.com/assemblies") do |req|
+          position_params = req.body.index 'name="params"'
+          position_signature = req.body.index 'name="signature"'
+          position_file = req.body.index 'name="file_0"'
+
+          _(position_params).wont_be_nil
+          _(position_signature).wont_be_nil
+          _(position_file).wont_be_nil
+
+          _(position_params < position_signature).must_equal true
+          _(position_signature < position_file).must_equal true
+        end
+      end
+    end
+
     describe "with additional parameters" do
       include WebMock::API