Web Hook Verification

When integrating AllCore webhooks, verifying the authenticity of incoming requests is essential. This ensures they genuinely originate from AllCore rather than a malicious source. AllCore attaches an HMAC-SHA1 signature in the X-Payload-Digest header for each webhook, which you can use to confirm the request’s legitimacy. Below is a Python function illustrating how to validate this signature.

import hashlib
import hmac
import binascii

SECRET = 'secret_value' #value set as webhook secret

def verifySignature(callback_raw_response, callback_headers):
    callback_signature = callback_headers['X-Payload-Digest']
    dig = hmac.new(bytes(SECRET , 'utf-8'), bytes(callback_raw_response , 'utf-8'), hashlib.sha1).digest()
    signature = binascii.hexlify(dig).decode()
    return callback_signature == signature

callback_raw_response = '{"field":"value"}' # use raw unformatted response body
callback_headers = {"X-Payload-Digest": "7e36252a10fd65cbaacd7ff288df2fd3f9e75a46"} # header from response

print(verifySignature(callback_raw_response, callback_headers))

1. Secret Value: The SECRET variable must be set to the same secret you used when creating the webhook.

2. Verify Signature Function:

   1. Parameters: The verifySignature function accepts the raw webhook body (callback_raw_response) and its headers (callback_headers).

   2. Steps: a. Extract the signature from the X-Payload-Digest header. b. Generate a new HMAC-SHA1 signature using the SECRET and the raw response body. c. Compare the generated signature with the header signature. If they match, the function returns True, confirming the webhook is authentic.

3. Sample Data: The callback_raw_response and callback_headers examples provide sample data to test this process.