You can use this library to verify the signature passed in the header to your webhook target endpoint.
For more information on signatures with Go1 Webhooks please see this guide.
$ npm i @go1/webhook-verifier-js
If using a NodeJS framework like ExpressJS, with the req object in scope:
let signature = req.header('go1-signature');
// payload can be a string OR the object already parsed by the express json middlware
let payload = req.body;
// the secret could come from some place else if you wish, but it is the secret you provided to Go1 when you created the webhook
let secret = process.env.SHARED_SECRET;
You can then verify the signature like so:
import { verifySignature } from '@go1/webhook-verifier-js';
verifySignature(signature, payload, secret); // throws an exception if anything is invalid.
Or if you prefer not to have exceptions thrown you can also get a result back like so:
import { isSignatureVerified } from '@go1/webhook-verifier-js';
const { isValid, error } = isSignatureVerified(signature, payload, secret);
// { isValid: true, error: undefined }
const { isValid, error } = isSignatureVerified(signature, payload, badSecret);
// { isValid: false, error: InvalidWebhookSignature('Invalid signature') }
There is also some optional configuration you can set before calling verifySignature
or isSignatureVerified
:
import { configure as configureWebhookVerifier } from '@go1/webhook-verifier-js';
configureWebhookVerifier({
timestampToleranceInSeconds: 60, // number, defaults to 60
signatureVersion: 'v1' // string, defaults to 'v1'
});
...
MIT License
Please open an issue in github here and we will evaluate.