-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: add support for validating webhook signatures inter-768
- Loading branch information
1 parent
de05eb7
commit 6a4cbd6
Showing
7 changed files
with
168 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Webhook | ||
|
||
## **CheckHeader** | ||
|
||
> Fingerprint\ServerAPI\Webhook\WebhookVerifier::checkHeader(string $header, string $data, string $secret): bool | ||
Verifies the HMAC signature extracted from the "fpjs-event-signature" header of the incoming request. This is a part of the webhook signing process, which is available only for enterprise customers. | ||
If you wish to enable it, please [contact our support](https://fingerprint.com/support). | ||
|
||
### Required Parameters | ||
|
||
| Name | Type | Description | Notes | | ||
|------------|------------|------------------------------------------------------------|-------| | ||
| **header** | **string** | Value of the "fpjs-event-signature" header. | | | ||
| **data** | **string** | Body of the request from which above header was extracted. | | | ||
| **secret** | **string** | Your generated secret used to sign the request. | | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
<?php | ||
|
||
namespace Fingerprint\ServerAPI\Webhook; | ||
|
||
final class WebhookVerifier | ||
{ | ||
public static function checkHeader(string $header, string $data, string $secret): bool | ||
{ | ||
$signatures = explode(',', $header); | ||
foreach ($signatures as $signature) { | ||
$parts = explode('=', $signature); | ||
if (2 === count($parts) && 'v1' === $parts[0]) { | ||
$hash = $parts[1]; | ||
if (self::checkSignature($hash, $data, $secret)) { | ||
return true; | ||
} | ||
} | ||
} | ||
|
||
return false; | ||
} | ||
|
||
private static function checkSignature(string $signature, string $data, string $secret): bool | ||
{ | ||
$hash = hash_hmac('sha256', $data, $secret); | ||
|
||
return hash_equals($hash, $signature); | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
<?php | ||
|
||
namespace Fingerprint\ServerAPI; | ||
|
||
use Fingerprint\ServerAPI\Webhook\WebhookVerifier; | ||
use PHPUnit\Framework\TestCase; | ||
|
||
class WebhookVerifierTest extends TestCase | ||
{ | ||
private $secret = "secret"; | ||
private $data = "data"; | ||
|
||
public function testWithValidSignature() | ||
{ | ||
$validHeader = "v1=1b2c16b75bd2a870c114153ccda5bcfca63314bc722fa160d690de133ccbb9db"; | ||
$result = WebhookVerifier::checkHeader($validHeader, $this->data, $this->secret); | ||
$this->assertTrue($result, "With valid signature"); | ||
} | ||
|
||
public function testWithInvalidHeader() | ||
{ | ||
$result = WebhookVerifier::checkHeader("v2=invalid", $this->data, $this->secret); | ||
$this->assertFalse($result, "With invalid header"); | ||
} | ||
|
||
public function testWithHeaderWithoutVersion() | ||
{ | ||
$result = WebhookVerifier::checkHeader("invalid", $this->data, $this->secret); | ||
$this->assertFalse($result, "With header without version"); | ||
} | ||
|
||
public function testWithEmptyHeader() | ||
{ | ||
$result = WebhookVerifier::checkHeader("", $this->data, $this->secret); | ||
$this->assertFalse($result, "With empty header"); | ||
} | ||
|
||
public function testWithEmptySecret() | ||
{ | ||
$validHeader = "v1=1b2c16b75bd2a870c114153ccda5bcfca63314bc722fa160d690de133ccbb9db"; | ||
$result = WebhookVerifier::checkHeader($validHeader, $this->data, ""); | ||
$this->assertFalse($result, "With empty secret"); | ||
} | ||
|
||
public function testWithEmptyData() | ||
{ | ||
$validHeader = "v1=1b2c16b75bd2a870c114153ccda5bcfca63314bc722fa160d690de133ccbb9db"; | ||
$result = WebhookVerifier::checkHeader($validHeader, "", $this->secret); | ||
$this->assertFalse($result, "With empty data"); | ||
} | ||
} |