webhook: export ComputeSignature #602
Conversation
| @@ -15,7 +15,7 @@ import ( | |||
| ) | |||
|
|
|||
| const ( | |||
| // Signatures older than this will be rejected by ConstructEvent | |||
| // DefaultTolerance signatures older than this will be rejected by ConstructEvent | |||
There was a problem hiding this comment.
Thanks for the fix here, but could you make this a sensible sentence? Like DefaultTolerance is the amount of drift in time that's allowed by ConstructEven as it's validating a signature.
| // https://stripe.com/docs/webhooks#signatures | ||
| func computeSignature(t time.Time, payload []byte, secret string) []byte { | ||
| mac := hmac.New(sha256.New, []byte(secret)) | ||
| func ComputeSignature(t time.Time, payload, secret []byte) []byte { |
There was a problem hiding this comment.
Thanks a lot for trying to follow the advice I was giving in #497!
Contrary to what I said there though, I now see that unfortunately changing the signature to []byte ends up breaking compatibility on a lot of these already-exported functions. It's also still not perfectly consistent because header in some of the functions below is still a string.
Sorry for the reversal, but for those reasons, I think it actually might be better to leave secret here as a string, at least for the time being. Would you mind changing it back?
|
Would this still be merged? I am trying to use hooks and surprise surprise -- I need to manually write code for signature verification (and what if the algo later will change?). |
|
This pull request seems to have stalled out, so I'm going to close it in favor of #650. |
* updated circleci config * removed SFDX tests for prod env and add readme entry on how to fix that mess up * adding non-nil refresh token * added refresh token gen for prod * reverted config * added more documentation * addressed PR feedback * fixed typo * Update README.md
Fixes #497.