Validating a Mandrill Webhook request for nodejs

mandrill_validate_webhook

var Crypto = require('crypto');

/**
 * validates a mandrill webhook request
 * @param url string the url that mandrill sent the request to
 * @param key string the web hook key from https://mandrillapp.com/settings/webhooks
 * @param params array the request's POST parameters i.e. req.params
 * @param compareTo string the x-mandrill-signature header value
 */
var validate = function validate(url, key, params, compareTo) {
  var data = url;
  for(var postKey in params) {
    data += postKey;
    data += postData[postKey];
  }
  var signer = Crypto.createHmac('sha1', key);
  var signature = signer.update(data).digest('base64');
  return compareTo && signature === compareTo;
};

In express + body-parser:

'use strict';

const express = require('express');
const bodyParser = require('body-parser');
const crypto = require('crypto');
const server = express();

server.use(bodyParser.urlencoded({extended: true}));

const key = 'your_random_webhook_key';
let url = 'http://your-webhook.com?handler=hello';

server.post('/hook', (req, res) => {
    let keys = Object.body.keys().sort();
    for (let key of keys) {
        url += key + req.body[key];
    }
    let signer = crypto.createHmac('sha1', key);
    let signature = signer.update(url).digest('base64');
    console.log(req.headers['x-mandrill-signature'] === signature);
    res.send(req.headers['x-mandrill-signature'] === signature ? 'Yeay!' : 'Nay!');
});

server.listen(8000 || env.process.PORT);

One line alternative to this:

let keys = Object.body.keys().sort(); // which should actually be Object.keys(body).sort()
for (let key of keys) {
    url += key + req.body[key];
}

url += Object.keys(body).sort().map(key => ${key}${body[key]})