SHA256 webhook signature from WooCommerce never verifies

后端未结

关注

 6  1001

再見小時候 2021-01-02 23:47

I am receiving webhooks from a woocommerce site into a nodejs/express application. I am trying to verify the webhook\'s signature to prove authenticity, yet the hash I compu

6条回答

不知归路 (楼主)

2021-01-03 00:34

Old question but maybe it helps some poor soul out there. The signature needs to be checked against the body and not the JSON it contains. i.e. the raw bytes of the body.

pseudo:

        byte[] body = request.Body;
        string signature = request.Header["X-WC-Webhook-Signature"];

        byte[] secretUtf8 = GetUtf8Bytes("yoursecrethere");
        byte[] hash = HMAC_SHA256.ComputeHash(body, secretUtf8);
        string hashBase64 = ToBase64String(hash);

        bool isValid = hashBase64 == signature;

0 讨论(0)

查看其它6个回答