Code examples

Code example

Java

Java
1import org.apache.commons.codec.digest.HmacAlgorithms;
2import org.apache.commons.codec.digest.HmacUtils;
3import org.springframework.stereotype.Controller;
4import org.springframework.web.bind.annotation.PostMapping;
5import org.springframework.web.bind.annotation.RequestBody;
6import org.springframework.web.bind.annotation.ResponseBody;
7
8import javax.servlet.http.HttpServletRequest;
9import javax.servlet.http.HttpServletResponse;
10
11@Controller
12public class WebhookExampleController {
13
14@PostMapping("/webhook/example")
15@ResponseBody
16public String receive(HttpServletRequest request, @RequestBody String payload, HttpServletResponse response) {
17
18String responseBody = "";
19
20StringBuilder valueToDigest = new StringBuilder();
21// Get the timestamp from header
22String timestamp = request.getHeader("x-timestamp");
23valueToDigest.append(timestamp);
24valueToDigest.append(payload);
25
26// Get the signature from header
27String signature = request.getHeader("x-signature");
28
29// Get your secret
30String secret = getSecret();
31
32// Check if calculated signature matches the signature from the request
33HmacUtils hmacUtils = new HmacUtils(HmacAlgorithms.HMAC_SHA_256, secret)
34if (hmacUtils.hmacHex(valueToDigest)).equals(signature)) { 
35
36// Do something with event
37
38response.setStatus(HttpServletResponse.SC_OK);
39} else {
40// Invalid signature
41response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
42responseBody = "failed to verify the signature";
43}
44
45return responseBody;
46}
47
48}

PHP

PHP
1<?php
2use RingCentral\Psr7\Response;
3
4function getSecret() {
5return 'whsec_CEm2XM_JZ1x5FxUUEGcZoRgIz4RZfDE';
6}
7
8function handler($request, $context): Response{
9$timestamp = $request->getHeaderLine('x-timestamp');
10$body = $request->getBody()->getContents();
11
12$secret = getSecret();
13$signature = $request->getHeaderLine('x-signature');
14
15if (hash_hmac('sha256', $timestamp.$body, $secret) != $signature) {
16return new Response(400, array(), 'failed to verify the signature');
17}
18
19// Do something with event
20return new Response(200, array(), $body);
21}
22

Node.js

JavaScript
1// express.js
2const crypto = require('crypto')
3
4const secret = '<CLIENT_API_WEBHOOK_SECRET>'
5
6async webhookController(ctx, next) {
7  // webhook is received
8
9  const { headers, body } = ctx.request
10  const { name, accountId } = body || {} // payload
11
12  const ts = headers['x-timestamp']
13
14  const policy = `${ts}${body}`
15
16  const signatureHex = crypto.createHmac('sha256', secret).update(policy).digest('hex')
17
18  if (signatureHex === headers['x-signature']) {
19    // do business logic after signature is verified
20
21    return next() // http response code = 200: ack the webhook
22  } else {
23    ctx.status = 500
24    ctx.body = 'failed to verify webhook signature'
25    return
26  }
27}