-
-
Save tobyurff/f40dcac7a4671f465dcc902afa6a91be to your computer and use it in GitHub Desktop.
const crypto = require('crypto'); | |
const hmac = crypto.createHmac('SHA256', 'my-webhook-secret'); | |
hmac.update('{ ... }'); // request body | |
const correctHash = hmac.digest().toString('hex'); | |
const receivedHash = '...'; // e.g. req.get('x-impala-signature'); | |
/* | |
* It's important to perform a constant time equality comparison of the | |
* two HMACs to avoid timing attacks. | |
* | |
* See: https://en.wikipedia.org/wiki/Timing_attack | |
*/ | |
if ( | |
crypto.timingSafeEqual( | |
Buffer.from(correctHash), | |
Buffer.from(receivedHash) | |
) | |
) { | |
// Request is valid | |
} else { | |
throw new Error('Authentication failed.'); | |
} |
Hi @PeterKottas! No, unfortunately we don't have anything in .NET. Hope you'll find the equivalent on the above example in .NET! Let us know if there's anything else we can help with, ideally on support@getimpala.com as that's monitored more regularly.
No problem, we figured it out in the meantime.
In case anybody is looking for implementation: https://gist.github.com/PeterKottas/d83906865a42f521586523fd54e7a6dc
Great, thanks a lot!
Hey all, just a quick note that node's default encoding for the Buffer.from function is UTF-8.
https://nodejs.org/api/buffer.html#buffer_static_method_buffer_from_string_encoding
We had a couple of issues with mismatching signatures due to this.
@PeterKottas your implementation, much like mine, might have the same issue.
Hi @tobyurff, do you have any examples for dot net (core) by any chance?