-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add webhook signature and timestamp validation methods #113
Add webhook signature and timestamp validation methods #113
Conversation
Codecov Report
@@ Coverage Diff @@
## master #113 +/- ##
==========================================
+ Coverage 98.26% 98.30% +0.04%
==========================================
Files 28 31 +3
Lines 575 650 +75
==========================================
+ Hits 565 639 +74
- Misses 10 11 +1
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall, this looks awesome!
Really happy to see that we'll implement this verification process for our users. I think it'll be great to have these security best-practices built-in to our SDK's.
Only thing that I think we need to change is to use a constant time algorithm when comparing the two digests. See the comment I left there for suggestions.
First SDK pass at adding webhook signature and timestamp validation methods.
I broke up the two methods to give users options, but we could also combine them into one validation method.
I assume that the application will parse the request for the raw POST body and the signature like:
And then enter the parsed information as parameters to the methods, along with the Webhook Secret.