7 posts / 0 new
Last post
andrejsuibo17844
How to validate signature in the webhook?

When receiving a webhook, there is a signature string in the payload.
How to validate this signature?


christopherlord730
Re: How to validate signature in the webhook?

Can you provide the property name and the value supplied in the event object?


christopherlord730
Re: How to validate signature in the webhook?

Or the correlation ID in question?


andrejsuibo17844
Re: How to validate signature in the webhook?

Here is the whole webhook data:
{
eventID: 8a34e7646001601e01602b3e67de0ed3,
eventName: TRANSACTION_STATUS,
eventTime: Dec 6, 2017 4:53:18 AM,
payload: {
amount: 100,
correlation_id: 228.1255399735350,
currency: USD,
ref_data: PB17124004T71,
signature: MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCAMIIFPTCCBCWgAwIBAgIQATRWDbb3ZHCeCCM+33x8xTANBgkqhkiG9w0BAQUFADCBtTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQxMDAxMDAwMDAwWhcNMTYxMDAxMjM1OTU5WjCBiDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0dlb3JnaWExEDAOBgNVBAcUB0F0bGFudGExHzAdBgNVBAoUFkZpcnN0IERhdGEgQ29ycG9yYXRpb24xEDAOBgNVBAsUB1BheWVlenkxIjAgBgNVBAMUGXNlcnZpY2VzLWNlcnQucGF5ZWV6eS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCHFMBy5/AetBP/fTpEGqezgB/KNCl9Dzc8dL5i7txPFPzmaw2SzzaiOMxc4mKQCvu+LkARHxAxmG+KOlaEVIajL0ti15EuL2YlcYMXaCWJ+sjSMtq46KSUH/zJROosK+FeXFTgCmWRMsME0ulJA2oPaw+uNAOZUjIxWlahu6KmLlJkmPwohqu3JaKyg57WVkkwHKX0ZEe3BZcghX7+3NTJSd5Xh0vytpoOyrCgqQ94Cm3Wika+kuIQ3ENIYKmfAAvZW3cqJO5jFMQkYOkwZdIvSDpuWDdL5S3tVjzIgFCYwFp/+vIlICOoOHXslmRBDMDCk18j2OKdGTyA8LM/6RtAgMBAAGjggFyMIIBbjAkBg {clipped},
status: approved,
transaction_id: ET142226,
transaction_tag: 2233358591,
transaction_time: ********,
transaction_type: capture
}
}


christopherlord730
Re: How to validate signature in the webhook?

I'll have to check with our development team but it does appear to use our public key and some type of base 64 encoding but I'll have to see whether the method is something that can be divulged.


andrejsuibo17844
Re: How to validate signature in the webhook?

Thank You!
What other, recommended, options do I have, to validate the webhook?
It would be unwise to trust the webhook data, without any validation.


andrejsuibo17844
Re: How to validate signature in the webhook?

What is the official way to validate a webhook? Could not find any info on that anywhere...
I also tried to get the event using the API:
https://api-cert.payeezy.com/v1/events/{id}
But this method returns 'Not found' at the time of webhook and only after about one minute of retries the event is found.