Guides

Authentication

Suggest Edits

To verify the authenticity of the message, you must perform signature verification. Not doing so means that attackers can generate and send fake messages.

The signature is created by calculating a sha256 HMAC, of the unmodified HTTP body, using the shared secret configured in the webhook subscriber. It should then be compared with the signature sent in the X-Webhook-Signature HTTP header.

<?php

// Exchanged between Luscii and customer
$sharedSecret = '0123456789abcdef0123456789abcdef';

// Received via HTTP message
$messageBody = '{"event":"Measurements","moment":"2019-03-04T10:56:01+01:00","payload":{"user_id":"some-user","additional":"payload"}}';
$messageSignature = 'bbf69852f5b33117cfdb27f25f2fbcd66c35cdef8bb14a3459fc3d4c84133d73';

// Calculate signature
$verificationSignature = hash_hmac('sha256', $messageBody, $sharedSecret);

// Compare securely (simple string comparison is prone to timing attacks)
if (hash_equals($verificationSignature, $messageSignature)) {
    echo 'VALID';
} else {
    echo 'INVALID';
}

Updated 8 months ago