Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
const crypto = require('crypto');
const hmac = crypto.createHmac('SHA256', 'my-webhook-secret');
hmac.update('{ ... }'); // request body
const correctHash = hmac.digest().toString('hex');
const receivedHash = '...'; // e.g. req.get('x-impala-signature');
* It's important to perform a constant time equality comparison of the
* two HMACs to avoid timing attacks.
* See:
if (
) {
// Request is valid
} else {
throw new Error('Authentication failed.');
Copy link

Great, thanks a lot!

Copy link

Hey all, just a quick note that node's default encoding for the Buffer.from function is UTF-8.

We had a couple of issues with mismatching signatures due to this.

@PeterKottas your implementation, much like mine, might have the same issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment