I have registered a webhook and provided a secret as documented on https://www.weavy.com/docs/backend/webhooks.
When the payload is delivered to my url I want to verify the signature, but I can't seem to get the calculation correct. What am I doing wrong?
Here is the code I'm using:
public static bool Verify(string signature, string body, string secret)
{
using (var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secret)))
{
var hashBytes = hmac.ComputeHash(Encoding.UTF8.GetBytes(body));
var hash = Encoding.UTF8.GetString(hashBytes);
return signature.Equals(hash);
}
}
The documentation says the signature is a HMAC hex digest so instead of converting hashBytes to an UTF8 string you should convert it to a hexadecimal string.
public static bool Verify(string signature, string body, string secret)
{
using (var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(Secret)))
{
var hashBytes = hmac.ComputeHash(Encoding.UTF8.GetBytes(body));
var hash = Convert.ToHexString(hashBytes).ToLowerInvariant();
return signature.Equals(hash);
}
}