Alternate Webhook Verification Implementation #117
Description
I am running cloudconvert from within Cloudflare. I'm basically just pulling out all the types from it as the Axios client does work in the environment properly. Looking forward to the fetch implementation. All that aside, I wanted to share a code snippet for consideration of inclusion into the client.
The crypto library is not implemented in cloudflare and so I whipped together this implementation.
"@types/jsrsasign": "^10.5.13",
import { KJUR } from "jsrsasign";
export function verifyWebhookSignature(payloadString: string, signature: string, signingSecret: string): boolean {
// Create the HMAC object with SHA256
const hmacObj = new KJUR.crypto.Mac({ alg: "HmacSHA256", pass: { utf8: signingSecret } });
// Update the HMAC with the payload
hmacObj.updateString(payloadString);
// Get the HMAC in hexadecimal format
const signed = hmacObj.doFinal();
// Compare the computed HMAC to the provided signature
return signature === signed;
}