Last active
August 19, 2021 08:36
-
-
Save tobyurff/f40dcac7a4671f465dcc902afa6a91be to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const crypto = require('crypto'); | |
const hmac = crypto.createHmac('SHA256', 'my-webhook-secret'); | |
hmac.update('{ ... }'); // request body | |
const correctHash = hmac.digest().toString('hex'); | |
const receivedHash = '...'; // e.g. req.get('x-impala-signature'); | |
/* | |
* It's important to perform a constant time equality comparison of the | |
* two HMACs to avoid timing attacks. | |
* | |
* See: https://en.wikipedia.org/wiki/Timing_attack | |
*/ | |
if ( | |
crypto.timingSafeEqual( | |
Buffer.from(correctHash), | |
Buffer.from(receivedHash) | |
) | |
) { | |
// Request is valid | |
} else { | |
throw new Error('Authentication failed.'); | |
} |
No problem, we figured it out in the meantime.
In case anybody is looking for implementation: https://gist.github.com/PeterKottas/d83906865a42f521586523fd54e7a6dc
Great, thanks a lot!
Hey all, just a quick note that node's default encoding for the Buffer.from function is UTF-8.
https://nodejs.org/api/buffer.html#buffer_static_method_buffer_from_string_encoding
We had a couple of issues with mismatching signatures due to this.
@PeterKottas your implementation, much like mine, might have the same issue.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi @PeterKottas! No, unfortunately we don't have anything in .NET. Hope you'll find the equivalent on the above example in .NET! Let us know if there's anything else we can help with, ideally on support@getimpala.com as that's monitored more regularly.