API 客户端可以通过在每个事件的 HTTP 标头中包含一个签名来选择对它发送到我的 webhook 端点的回调事件进行签名。我需要验证通过 HMAC-SHA256 发送到我的 webhook 接收器端点的有效负载。
指令是:
Your web application should verify the call-back is from NorthRow:
1. Extract the signature value from the header
2. Decode the value from base64 to a hex string
3. Determine the expected signature by computing an HMAC with the
HMAC-SHA256 hash function. Use the shared secret and the JSON
payload from the call-back as the message (i.e. the request body).
4. Compare the signature in the header to the expected signature.
5. Respond with the appropriate HTTP status code
为了满足我在助手下面准备的所有条件:
def verify_webhook(data, hmac_header)
digest = OpenSSL::Digest.new('sha256')
calculated_hmac = Base64.encode64(OpenSSL::HMAC.digest(digest, SHARED_SECRET, data)).strip
ActiveSupport::SecurityUtils.secure_compare(calculated_hmac, hmac_header)
end
我的实现是否满足条件 2 和 3?我不认为我将值从 base64 解码为十六进制字符串。
我无法将我的结果与真实的回调签名(一些法律问题)进行比较,所以我必须在黑暗中操作。