Signature Validation

Suggest Edits

Signature validation

Since your webhook URL is publicly available, you need to verify that events are truly originating from Curacel and not an unauthorized entity. Therefore, you need to check for authenticity using the Webhook Secret which you generate from your dashboard.

The events sent from Curacel carry the x-curacel-signature header. The value of this header is an HMAC SHA256 signature of the event payload signed using your webhook secret. Verifying the header signature should be done before processing the event:

<?php
// ensure it's post request with the curacel signature header
if ((strtoupper($_SERVER['REQUEST_METHOD']) != 'POST' ) || !array_key_exists('x-curacel-signature', $_SERVER) ) 
    exit();

// Retrieve the request's body
$input = @file_get_contents("php://input");

// validate event
if($_SERVER['HTTP_X_CURACEL_SIGNATURE'] !== hash_hmac('sha256', $input, WEBHOOK_SECRET))
    exit();

http_response_code(200);

// parse event (which is json string) as object
// Do something - that will not take long - with $event
$event = json_decode($input);

exit();
?>

var crypto = require('crypto');
var secret = process.env.WEBHOOK_SECRET;
var bodyParser = require('body-parser'); // npm i body-parser

app.use(bodyParser.json());

// Using Express.js
app.post("/my/webhook/url", function(req, res) {
  //escape forward slashes
  const data = (JSON.stringify(req.body)).replace(/\//g, '\\/');
  
  //validate event
  const hash = crypto.createHmac('sha256', secret).update(data).digest('hex');
  if (hash == req.headers['x-curacel-signature']) {
    // Retrieve the request's body
    const event = req.body;

    // Do something with event.
  }
  res.send(200);
});

Updated 12 months ago