Signature Validation

Remember the mail man scenario we shared earlier in comparison with how webhooks work. Imagine you are the busy kind of person, and you receive quite a lot of parcels. We believe you cannot identify who sent what parcel (JSON Data) by just looking at the envelope.

Yeah, there is always a signature that acknowledges the sender. Our webhooks work like that too.

Moreover, who knows? An unfriendly person might be cooking something unhealthy for you.

Handling WebHook Requests

Our notifications often carry a x-browpay-signature header. This header is a HMAC SHA512 signature that is signed using your secret key.

It is important to verify your webhook requests against fake or unrelated data before it is processed for security purposes.

const crypto = require('crypto');

const secret = your-secret-key;
// Using ExpressJS
app.post("/your-server/webhook-endpoint", (req, res) =>  {
   //validate event    
   const hash = crypto.createHmac('sha512', secret).update(JSON.stringify(req.body)).digest('hex');
   if (hash == req.headers['x-browpay-signature']) {
   // body
   const event = req.body;
   // you may use the data here
   }
   
   // do nothing
res.send(200);

});

import hmac
import hashlib
from http.server import BaseHTTPRequestHandler, HTTPServer

class WebhookHandler(BaseHTTPRequestHandler):
    def do_POST(self):
        secret = b'your-secret-key'
        content_length = int(self.headers['Content-Length'])
        content = self.rfile.read(content_length)

        # validate event
        hash_signature = hmac.new(secret, content, hashlib.sha512).hexdigest()
        if hash_signature == self.headers.get('x-browpay-signature'):
            # process the event
            event = content.decode('utf-8')
            # use the data here

        # do nothing
        self.send_response(200)
        self.end_headers()
        self.wfile.write(b'OK')

if __name__ == '__main__':
    server_address = ('', 8000)
    httpd = HTTPServer(server_address, WebhookHandler)
    httpd.serve_forever()

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.InetSocketAddress;

import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.sun.net.httpserver.HttpServer;

public class MinimalWebhookHandler {

    public static void main(String[] args) throws IOException {
        int port = 8080;
        HttpServer server = HttpServer.create(new InetSocketAddress(port), 0);
        server.createContext("/your-server/webhook-endpoint", new WebhookHandler());
        server.setExecutor(null); // creates a default executor
        server.start();
    }

    static class WebhookHandler implements HttpHandler {
        @Override
        public void handle(HttpExchange exchange) throws IOException {
            InputStream requestBody = exchange.getRequestBody();
            byte[] buffer = new byte[1024];
            int bytesRead;
            StringBuilder content = new StringBuilder();

            while ((bytesRead = requestBody.read(buffer)) != -1) {
                content.append(new String(buffer, 0, bytesRead));
            }

            requestBody.close();

            // Your secret key
            String secret = "your-secret-key";
            // validate event
            String hash = generateHash(content.toString(), secret);
            if (hash.equals(exchange.getRequestHeaders().getFirst("x-browpay-signature"))) {
                // process the event
                String event = content.toString();
                // use the data here
            }

            // do nothing
            exchange.sendResponseHeaders(200, 0);
            OutputStream os = exchange.getResponseBody();
            os.close();
        }

        private String generateHash(String data, String secret) {
            // Implement your HMAC generation logic here
            return ""; // Replace with your actual implementation
        }
    }
}

<?php

$secret = 'your-secret-key';
$content = file_get_contents('php://input');
$hash_signature = hash_hmac('sha512', $content, $secret);

if ($hash_signature == $_SERVER['HTTP_X_BROWPAY_SIGNATURE']) {
    // process the event
    $event = $content;
    // use the data here
}

// do nothing
http_response_code(200);
echo 'OK';

package main

import (
	"crypto/hmac"
	"crypto/sha512"
	"encoding/base64"
	"io/ioutil"
	"net/http"
)

func main() {
	secret := "your-secret-key"

	http.HandleFunc("/your-server/webhook-endpoint", func(w http.ResponseWriter, r *http.Request) {
		content, _ := ioutil.ReadAll(r.Body)
		defer r.Body.Close()

		// validate event
		hash := generateHash(content, []byte(secret))
		if hash == r.Header.Get("x-browpay-signature") {
			// process the event
			event := string(content)
			// use the data here
		}

		// do nothing
		w.WriteHeader(http.StatusOK)
	})

	http.ListenAndServe(":8080", nil)
}

func generateHash(data []byte, secret []byte) string {
	h := hmac.New(sha512.New, secret)
	h.Write(data)
	hashBytes := h.Sum(nil)
	return base64.StdEncoding.EncodeToString(hashBytes)
}

We however added an extra layer of data security to protect you and the notification you receive from us. It is not recommended if you are satisfied with validating the signature.

Payload Encryption and Decryption.

PreviousWebhooks NextEncryption and Decryption

Last updated 5 months ago

Was this helpful?