Created
April 3, 2025 17:23
-
-
Save slicksammy/eb0968964624580315f8a9095bdc046d to your computer and use it in GitHub Desktop.
verifying finix signature
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| signature_header = request.headers["HTTP_FINIX_SIGNATURE"] | |
| signing_secret = "ABC" # i saved it when creating the webhook "secret_signing_key" in the response | |
| def get_timestamp_and_signature_parts(signature_header) | |
| parts = signature_header.split(",").map(&:strip) | |
| timestamp_part = parts.find { |p| p.start_with?("timestamp=") } | |
| signature_part = parts.find { |p| p.start_with?("sig=") } | |
| timestamp = timestamp_part.split("=")[1] | |
| received_signature = signature_part.split("=")[1] | |
| [timestamp, received_signature] | |
| end | |
| def self.verify_signature(payload, timestamp, received_signature, signing_secret) | |
| # payload is a ruby hash | |
| payload_string = payload.to_json | |
| message = "#{timestamp}.#{payload_string}" | |
| calculated_signature = OpenSSL::HMAC.hexdigest("sha256", signing_secret, message) | |
| return false unless received_signature.bytesize == calculated_signature.bytesize | |
| # Use a proper secure comparison method | |
| ActiveSupport::SecurityUtils.secure_compare(received_signature, calculated_signature) | |
| rescue => e | |
| Rails.logger.error("Signature verification error: #{e.message}") | |
| false | |
| end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment