Check signature
To ensure that we are calling your webhook, each requests contain a X-Hub-Signature header with an encrypted signature.
If the request do not contain this header, do not process the event. Algoan always configures a signature and won't call you without it.
The X-Hub-Signature header is a SHA256 signature of the request body payload property. The signature is calculated using the keyed-hash message authentication code (HMAC) where the key is your webhook secret. The signature is then prefixed with sha256=. Your webhook endpoint can verify this signature to validate the integrity and origin of the payload. Please note that the calculation is made on the raw escaped Unicode version of the payload, with lower case hex digits.
For example, the string äöå will be escaped to \u00e4\u00f6\u00e5. The calculation also escapes / to /, < to \u003C, % to \u0025 and @ to \u0040. If you just calculate against the decoded bytes, you will end up with a different signature.
const express = require('express');const app = express();const bodyParser = require('body-parser')const crypto = require('crypto');const port = 3000;app.use(bodyParser.json())app.post('/webhook-endpoint', (req, res) => { // Extract the signature from the request header. It should look like "sha256=..." const extractedSignature = req.header['x-hub-signature']; const hash = extractedSignature.split('sha256=')[1]; // Extract the payload from the request body const payload = req.body.payload; // According to the subscription secret provided to Algoan, compare the signature to the one extracted const expectedSignature = crypto.createHmac('sha256', 'your_secret_key').update(JSON.stringify(payload)).digest('hex'); // Throw a HTTP error if it does not fit! It means that someone else is trying to access your API. if (hash !== expectedSignature) { res.sendStatus(401); } res.sendStatus(204);});app.listen(port, () => { console.log(`Listening on port ${port}`);});