Skip to content

Instantly share code, notes, and snippets.

@jstacoder

jstacoder/validate.py

Last active May 16, 2019 13:48
Show Gist options
  • Save jstacoder/180925be6dc7bba6db9a3b2c3e0f0924 to your computer and use it in GitHub Desktop.
Save jstacoder/180925be6dc7bba6db9a3b2c3e0f0924 to your computer and use it in GitHub Desktop.
Download ZIP
VALIDATE QUICKBOOKS SIGNATURE HEADER FOR WEBHOOK PYTHON
Raw
validate.py
import base64
import hmac
import hashlib
def validate_signature_header(verifier_token, request_body, signature):
# per quickbooks documentation
# 1st step:
# hash the notification payload (request_body) with HMAC_SHA256_ALGORITHM
# using <verifier token> as the key
hmac_hex_digest = hmac.new(
verifier_token,
request_body,
hashlib.sha256
)
# 2nd step:
# convert the intuit-signature header from base-64 to base-16
decoded_hex_signature = base64.b64decode(
signature
).encode('hex')
# 3rd step
# compare values from step 1 and 2
return hmac_hex_digest == decoded_hex_signature
@sharozmirza
Copy link

I think the original code was written for python2. It did not work for me as well since I was using python3. Here is the code that worked for me:

import base64
import hmac
import hashlib

def validate_signature_header(verifier_token, request_body, signature):

hmac_hex_digest = hmac.new(
    verifier_token,    # token from quickbooks in bytes
    request_body,    # request_body = request.data
    hashlib.sha256
).hexdigest()

decoded_hex_signature = base64.b64decode(
    signature   # request.headers.get('intuit-signature')
).hex()

return hmac_hex_digest == decoded_hex_signature

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment