Skip to content

Instantly share code, notes, and snippets.

@afreeland
Created August 6, 2020 18:51
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save afreeland/003026ee17ab0f6de8b3acc4b33f797b to your computer and use it in GitHub Desktop.
Save afreeland/003026ee17ab0f6de8b3acc4b33f797b to your computer and use it in GitHub Desktop.
Chargify webhook verification middleware
app.use("/chargify", (req, res, next) => {
// This request header contains the signature of the hmac sha 256 of the sites secret with the raw body of the request
const webhookSignature =
req.headers["x-chargify-webhook-signature-hmac-sha-256"];
try {
// Your secret shared site key that you got from Chargify earlier
// This is a SECRET and should be stored/retrieved in a safe manner, not source control (Kube Secret, etc.,)
const sharedKey = "b65ca1b9a6eaea838b7c536ca0ca5fe634214b5d";
// The first step is to create a sha256 of our shared site key
const hmac = crypto.createHmac("sha256", sharedKey);
// Next we need to update our hmac to utilize the raw body of the request from Chargify
hmac.update(req.rawBody);
// Now we can obtain the digest to be able to compare it against the signature provided in request header
const digest = hmac.digest("hex");
if (digest !== webhookSignature) {
// Log/Throw error
throw new Error("Webhook signature mismatch");
}
} catch (e) {
// Log/Throw Error
}
next();
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment