How to validate signature in the webhook?

7 posts / 0 new
Last post
Thu, 12/07/2017 - 04:00
#1
andrejsuibo17844
How to validate signature in the webhook?

When receiving a webhook, there is a signature string in the payload.
How to validate this signature?

Top
Fri, 12/08/2017 - 01:14
christopherlord730
Re: How to validate signature in the webhook?

Can you provide the property name and the value supplied in the event object?

Top
Fri, 12/08/2017 - 01:15
christopherlord730
Re: How to validate signature in the webhook?

Or the correlation ID in question?

Top
Fri, 12/08/2017 - 04:38
(Reply to #3)
andrejsuibo17844
Re: How to validate signature in the webhook?

Here is the whole webhook data:
{
eventID: 8a34e7646001601e01602b3e67de0ed3,
eventName: TRANSACTION_STATUS,
eventTime: Dec 6, 2017 4:53:18 AM,
payload: {
amount: 100,
correlation_id: 228.1255399735350,
currency: USD,
ref_data: PB17124004T71,
signature: MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCAMIIFPTCCBCWgAwIBAgIQATRWDbb3ZHCeCCM+33x8xTANBgkqhkiG9w0BAQUFADCBtTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQxMDAxMDAwMDAwWhcNMTYxMDAxMjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0dlb3JnaWExEDAOBgNVBAcUB0F0bGFudGExHzAdBgNVBAoUFkZpcnN0IERhdGEgQ29ycG9yYXRpb24xEDAOBgNVBAsUB1BheWVlenkxIjAgBgNVBAMUGXNlcnZpY2VzLWNlcnQucGF5ZWV6eS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCHFMBy5/AetBP/fTpEGqezgB/KNCl9Dzc8dL5i7txPFPzmaw2SzzaiOMxc4mKQCvu+LkARHxAxmG+KOlaEVIajL0ti15EuL2YlcYMXaCWJ+sjSMtq46KSUH/zJROosK+FeXFTgCmWRMsME0ulJA2oPaw+uNAOZUjIxWlahu6KmLlJkmPwohqu3JaKyg57WVkkwHKX0ZEe3BZcghX7+3NTJSd5Xh0vytpoOyrCgqQ94Cm3Wika+kuIQ3ENIYKmfAAvZW3cqJO5jFMQkYOkwZdIvSDpuWDdL5S3tVjzIgFCYwFp/+vIlICOoOHXslmRBDMDCk18j2OKdGTyA8LM/6RtAgMBAAGjggFyMIIBbjAkBg {clipped},
status: approved,
transaction_id: ET142226,
transaction_tag: 2233358591,
transaction_time: ********,
transaction_type: capture
}
}

Top
Fri, 12/08/2017 - 22:43
christopherlord730
Re: How to validate signature in the webhook?

I'll have to check with our development team but it does appear to use our public key and some type of base 64 encoding but I'll have to see whether the method is something that can be divulged.

Top
Sun, 12/10/2017 - 09:22
(Reply to #5)
andrejsuibo17844
Re: How to validate signature in the webhook?

Thank You!
What other, recommended, options do I have, to validate the webhook?
It would be unwise to trust the webhook data, without any validation.

Top
Wed, 12/13/2017 - 00:19
(Reply to #6)
andrejsuibo17844
Re: How to validate signature in the webhook?

What is the official way to validate a webhook? Could not find any info on that anywhere...
I also tried to get the event using the API:
https://api-cert.payeezy.com/v1/events/{id}
But this method returns 'Not found' at the time of webhook and only after about one minute of retries the event is found.

Top