coreymcmahon · June 18, 2021 08:55
diff --git a/HmacVerifier.php b/HmacVerifier.php
 <?php

 namespace App;

 use Illuminate\Http\Request;

 class HmacVerifier
 {
    public function isValid(Request $request, string $secret): bool
    {
        $signature = $request->header('X-Signature');

        if (! $signature) {
            return false;
        }

        if (empty($secret)) {
            throw \RuntimeException("Webhook verification key is missing");
        }

        $computedSignature = hash_hmac('sha256', $request->getContent(), $secret);

        // Use hash_equals instead of direct comparison to prevent timing attacks
        // https://www.php.net/manual/en/function.hash-equals.php
        return hash_equals($signature, $computedSignature);
    }
 }
	<?php

	namespace App;

	use Illuminate\Http\Request;

	class HmacVerifier
	{
	public function isValid(Request $request, string $secret): bool
	{
	$signature = $request->header('X-Signature');

	if (! $signature) {
	return false;
	}

	if (empty($secret)) {
	throw \RuntimeException("Webhook verification key is missing");
	}

	$computedSignature = hash_hmac('sha256', $request->getContent(), $secret);

	// Use hash_equals instead of direct comparison to prevent timing attacks
	// https://www.php.net/manual/en/function.hash-equals.php
	return hash_equals($signature, $computedSignature);
	}
	}