-
-
Save bentonporter/2891463 to your computer and use it in GitHub Desktop.
require 'openssl' | |
require 'Base64' | |
key = "secret-key" | |
data = "some data to be signed" | |
Base64.encode64(OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new('sha256'), key, data)).strip() |
What @gr8bit said.
secure_hash = OpenSSL::HMAC.hexdigest('SHA256', <key>, <data>)
Note that it's also very important to define what data
to sign. In the Shopify example, they sign the POST
request body (which makes sense for webhooks). So make sure you figure out what data you want to sign (request path, params, user auth data, nonce, etc), such that an attacker can at most replay the call, and cannot make other calls with the request signature.
+1 for @gr8bit suggestion
@A1iAshoor's example is what Stripe is using in its libraries. In case anyone else also writing tests for your webhooks.
If you came here (like me) looking for a quick hint on how to encode hmac sha256 for Facebook's appsecret_proof parameter, this is what you are looking for:
OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), <app_secret>, <user_access_token>)
:)
Thanks, it works like a charm.
OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), <app_secret>, <user_access_token>)
Thanks, it worked well here too!
secure_hash = OpenSSL::HMAC.hexdigest('SHA256', <key>, <data>)
thx~
OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), <app_secret>, <user_access_token>)
Worked perfectly for Facebook API, thank you @gr8bit
Nice guide by shopify how to verify webhooks
https://docs.shopify.com/api/webhooks/using-webhooks#verify-webhook