Webhook validation

Support
1

Does anyone have an example of validating the signature of a webhook? The documentation is very limited. I’ve been able to successfully create the webhooks and am receiving the data, but am struggling with the HMAC validation of the signature.

I’m currently writing this in Golang, but any examples would help.

package bitmovin

import (

"crypto/hmac"

"crypto/sha512"

"encoding/hex"

"os"

)

var SignitureHeader = "Bitmovin-Signature"

func SignatureValidation(payload string, verify string) (bool) {

secret := os.Getenv("BITMOVIN_HOOK_SCERET")

return checkHash(secret, payload, verify)

}

func computeHash(secret []byte, payload []byte) string {

mac := hmac.New(sha512.New, secret)

mac.Write(payload)

hex := hex.EncodeToString(mac.Sum(nil))

return hex

}

func checkHash(secret string, payload string, verify string) bool {

return hmac.Equal([]byte(verify), []byte(computeHash([]byte(secret), []byte(payload))))

}
2

Verify is the Bitmovin-Signature and the payload is the body of the request.

3

Python validation example:

import hashlib
import hmac

def has_valid_signature(request):
    key = config.WEBHOOK_SECRET
    signature = request.headers.get('Bitmovin-Signature')
    data = request.body
    digest = hmac.new(key.encode(), data, hashlib.sha512).hexdigest()
    return digest == signature