Last active
August 19, 2021 08:36
-
-
Save tobyurff/f40dcac7a4671f465dcc902afa6a91be to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const crypto = require('crypto'); | |
| const hmac = crypto.createHmac('SHA256', 'my-webhook-secret'); | |
| hmac.update('{ ... }'); // request body | |
| const correctHash = hmac.digest().toString('hex'); | |
| const receivedHash = '...'; // e.g. req.get('x-impala-signature'); | |
| /* | |
| * It's important to perform a constant time equality comparison of the | |
| * two HMACs to avoid timing attacks. | |
| * | |
| * See: https://en.wikipedia.org/wiki/Timing_attack | |
| */ | |
| if ( | |
| crypto.timingSafeEqual( | |
| Buffer.from(correctHash), | |
| Buffer.from(receivedHash) | |
| ) | |
| ) { | |
| // Request is valid | |
| } else { | |
| throw new Error('Authentication failed.'); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hey all, just a quick note that node's default encoding for the Buffer.from function is UTF-8.
https://nodejs.org/api/buffer.html#buffer_static_method_buffer_from_string_encoding
We had a couple of issues with mismatching signatures due to this.
@PeterKottas your implementation, much like mine, might have the same issue.