Signature Validation
When you create a webhook in the bitvora console, you will be given a secret. This secret is used to sign the webhook payload. You can use this secret to validate the webhook signature.
Example Signature Validation
Node.js
validateWebhookSignature(
payload: string,
signature: string,
secret: string
): boolean {
const hmac = createHmac("sha256", secret);
hmac.update(payload);
const hash = hmac.digest("hex");
return hash === signature;
}
// inside a controller
handleBitvoraWebhook(@Body() body: any, @Req() req: any): string {
let signature = req.headers['bitvora-signature'];
let bitvora = new BitvoraClient('api_key', 'signet');
let stringBody = JSON.stringify(body);
console.log(stringBody);
if (
validateWebhookSignature(
stringBody,
signature,
'8a83fed4f7c7fed7e57f7c2fe6fa5e9dfd38dfab56b3498dc76e8d43241daa5c', // example secret
)
) {
console.log('Invalid signature');
} else {
console.log('Valid signature');
}
console.log('Received webhook', body);
console.log('Signature', signature);
return this.appService.handleBitvoraWebhook(body);
}Go
package main
import (
"crypto/hmac"
"crypto/sha256"
"encoding/hex"
"fmt"
"net/http"
"io/ioutil"
)
func validateWebhookSignature(payload, signature, secret string) bool {
h := hmac.New(sha256.New, []byte(secret))
h.Write([]byte(payload))
expectedSignature := hex.EncodeToString(h.Sum(nil))
return expectedSignature == signature
}
func handleBitvoraWebhook(w http.ResponseWriter, r *http.Request) {
secret := "8a83fed4f7c7fed7e57f7c2fe6fa5e9dfd38dfab56b3498dc76e8d43241daa5c" // example secret
signature := r.Header.Get("bitvora-signature")
bodyBytes, err := ioutil.ReadAll(r.Body)
if err != nil {
http.Error(w, "Error reading request body", http.StatusBadRequest)
return
}
payload := string(bodyBytes)
if validateWebhookSignature(payload, signature, secret) {
fmt.Println("Valid signature")
// Process webhook
w.WriteHeader(http.StatusOK)
w.Write([]byte("Webhook received"))
} else {
fmt.Println("Invalid signature")
http.Error(w, "Invalid signature", http.StatusUnauthorized)
}
}
func main() {
http.HandleFunc("/webhook", handleBitvoraWebhook)
http.ListenAndServe(":8080", nil)
}PHP
<?php
function validateWebhookSignature($payload, $signature, $secret) {
$hash = hash_hmac('sha256', $payload, $secret);
return hash_equals($hash, $signature);
}
function handleBitvoraWebhook() {
$secret = "8a83fed4f7c7fed7e57f7c2fe6fa5e9dfd38dfab56b3498dc76e8d43241daa5c"; // example secret
$signature = $_SERVER['HTTP_BITVORA_SIGNATURE'];
$payload = file_get_contents('php://input');
if (validateWebhookSignature($payload, $signature, $secret)) {
error_log("Valid signature");
// Process webhook
http_response_code(200);
echo "Webhook received";
} else {
error_log("Invalid signature");
http_response_code(401);
echo "Invalid signature";
}
}
handleBitvoraWebhook();
?>Python
import hmac
import hashlib
from flask import Flask, request, jsonify
app = Flask(__name__)
def validate_webhook_signature(payload, signature, secret):
hash = hmac.new(secret.encode(), payload.encode(), hashlib.sha256).hexdigest()
return hmac.compare_digest(hash, signature)
@app.route('/webhook', methods=['POST'])
def handle_bitvora_webhook():
secret = "8a83fed4f7c7fed7e57f7c2fe6fa5e9dfd38dfab56b3498dc76e8d43241daa5c" # example secret
signature = request.headers.get('bitvora-signature')
payload = request.get_data(as_text=True)
if validate_webhook_signature(payload, signature, secret):
print("Valid signature")
# Process webhook
return jsonify({"message": "Webhook received"}), 200
else:
print("Invalid signature")
return jsonify({"message": "Invalid signature"}), 401
if __name__ == '__main__':
app.run(port=8080)