Round #210

Implement a webhook delivery endpoint with HMAC signature verification

**Webhook Delivery Endpoint with HMAC Signature Verification in C#** Below is an example implementation of a webhook delivery endpoint with HMAC signature verification in C#. ### Prerequisites * .NET 6.0 or later * `Microsoft.AspNetCore` package * `System.Security.Cryptography` package ### Implementation ```csharp using Microsoft.AspNetCore.Mvc; using System; using System.Security.Cryptography; using System.Text; using System.Threading.Tasks; [ApiController] [Route("api/[controller]")] public class WebhookController : ControllerBase { private readonly string _secretKey; public WebhookController(string secretKey) { _secretKey = secretKey; } [HttpPost] public async Task<IActionResult> HandleWebhook([FromBody] string payload, [FromHeader] string signature) { // Verify HMAC signature if (!VerifySignature(payload, signature)) { return Unauthorized("Invalid signature"); } // Process the webhook payload await ProcessPayload(payload); return Ok("Webhook received successfully"); } private bool VerifySignature(string payload, string signature) { using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(_secretKey)); var expectedSignature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(payload))); return expectedSignature == signature; } private async Task ProcessPayload(string payload) { // Implement your logic to process the webhook payload Console.WriteLine($"Received webhook payload: {payload}"); await Task.CompletedTask; } } ``` ### Explanation 1. The `WebhookController` class handles incoming webhook requests. 2. The `HandleWebhook` method is the entry point for webhook requests. It takes two parameters: `payload` (the webhook payload) and `signature` (the HMAC signature of the payload). 3. The `VerifySignature` method checks if the provided signature matches the expected signature generated using the secret key and the payload. 4. If the signature is valid, the `ProcessPayload` method is called to process the webhook payload. 5. The `ProcessPayload` method is a placeholder for your custom logic to handle the webhook payload. ### Example Usage To test the webhook delivery endpoint, you can use a tool like Postman or cURL to send a POST request with a JSON payload and an HMAC signature. **Request Headers** * `Content-Type`: `application/json` * `X-Hub-Signature`: `sha256=<signature>` **Request Body** * `{"key":"value"}` (example JSON payload) **Generating the HMAC Signature** To generate the HMAC signature, you can use a tool like OpenSSL or a programming language like Python or C#. Example using C#: ```csharp using System; using System.Security.Cryptography; using System.Text; class Program { static void Main() { var secretKey = "your_secret_key"; var payload = "{\"key\":\"value\"}"; using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secretKey)); var signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(payload))); Console.WriteLine($"Signature: {signature}"); } } ``` Replace `your_secret_key` with your actual secret key. Note: This implementation assumes a SHA-256 HMAC signature. You can modify the implementation to use a different hashing algorithm if needed.

```csharp using Microsoft.AspNetCore.Mvc; using Microsoft.Extensions.Logging; using System; using System.Security.Cryptography; using System.Text; using System.Threading.Tasks; // Define a model for the webhook request public class WebhookRequest { public string Id { get; set; } public string Event { get; set; } public string Data { get; set; } } // Define a controller for the webhook delivery endpoint [ApiController] [Route("api/[controller]")] public class WebhookController : ControllerBase { private readonly ILogger<WebhookController> _logger; private readonly string _secretKey; public WebhookController(ILogger<WebhookController> logger, string secretKey) { _logger = logger; _secretKey = secretKey; } // Define an action for the webhook delivery endpoint [HttpPost] public async Task<IActionResult> DeliverWebhook([FromBody] WebhookRequest request) { try { // Get the HMAC signature from the request headers var signature = Request.Headers["X-Hub-Signature-256"].ToString(); // Verify the HMAC signature if (!VerifyHmacSignature(request, signature)) { _logger.LogWarning("Invalid HMAC signature"); return Unauthorized(); } // Process the webhook request await ProcessWebhookRequest(request); return Ok(); } catch (Exception ex) { _logger.LogError(ex, "Error processing webhook request"); return StatusCode(500); } } // Define a method to verify the HMAC signature private bool VerifyHmacSignature(WebhookRequest request, string signature) { // Create a new HMACSHA256 object using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(_secretKey)); // Compute the expected HMAC signature var expectedSignature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(JsonSerializer.Serialize(request)))); // Compare the expected signature with the provided signature return expectedSignature == signature; } // Define a method to process the webhook request private async Task ProcessWebhookRequest(WebhookRequest request) { // Process the webhook request (e.g., save to database, send notification, etc.) _logger.LogInformation($"Received webhook request: {JsonSerializer.Serialize(request)}"); } } // Register the webhook controller in the DI container public void ConfigureServices(IServiceCollection services) { services.AddControllers(); services.AddSingleton<string>(Configuration["WebhookSecretKey"]); services.AddLogging(loggingBuilder => { loggingBuilder.AddConsole(); }); } // Configure the routing middleware public void Configure(IApplicationBuilder app, IWebHostEnvironment env) { app.UseRouting(); app.UseEndpoints(endpoints => { endpoints.MapControllers(); }); } ``` This implementation provides a webhook delivery endpoint with HMAC signature verification. The `WebhookController` class handles incoming webhook requests and verifies the HMAC signature using the `VerifyHmacSignature` method. If the signature is valid, the `ProcessWebhookRequest` method is called to process the request. The `ConfigureServices` method registers the webhook controller and adds logging to the DI container. The `Configure` method configures the routing middleware to map the webhook controller to the `/api/webhook` endpoint. **Key Features:** * HMAC signature verification using the `VerifyHmacSignature` method * Processing of webhook requests using the `ProcessWebhookRequest` method * Logging of incoming webhook requests and errors using the `ILogger` interface * Registration of the webhook controller in the DI container using the `AddControllers` method * Configuration of the routing middleware using the `UseRouting` and `UseEndpoints` methods **Security Considerations:** * The HMAC signature is verified using a secret key stored in the `WebhookSecretKey` configuration setting. * The `VerifyHmacSignature` method uses the `HMACSHA256` algorithm to compute the expected signature. * The `ProcessWebhookRequest` method logs incoming webhook requests and errors using the `ILogger` interface. **Best Practices:** * The implementation follows the ASP.NET Core guidelines for building web APIs. * The `WebhookController` class is registered in the DI container using the `AddControllers` method. * The `ConfigureServices` method registers the webhook controller and adds logging to the DI container. * The `Configure` method configures the routing middleware to map the webhook controller to the `/api/webhook` endpoint.