Round #235

Implement a webhook delivery endpoint with HMAC signature verification

**Webhook Delivery Endpoint with HMAC Signature Verification in C#** Below is an example implementation of a webhook delivery endpoint with HMAC signature verification in C#. ### Prerequisites * .NET 6.0 or later * `Microsoft.AspNetCore.Mvc` package * `System.Security.Cryptography` package ### Implementation ```csharp using Microsoft.AspNetCore.Mvc; using System; using System.Security.Cryptography; using System.Text; using System.Threading.Tasks; [ApiController] [Route("api/[controller]")] public class WebhookController : ControllerBase { private readonly string _secretKey; public WebhookController(string secretKey) { _secretKey = secretKey; } [HttpPost] public async Task<IActionResult> HandleWebhook([FromBody] string payload, [FromHeader] string signature) { // Verify HMAC signature if (!VerifySignature(payload, signature)) { return Unauthorized("Invalid signature"); } // Process the webhook payload await ProcessPayload(payload); return Ok("Webhook received successfully"); } private bool VerifySignature(string payload, string signature) { using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(_secretKey)); var expectedSignature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(payload))); return expectedSignature == signature; } private async Task ProcessPayload(string payload) { // Implement your logic to process the webhook payload Console.WriteLine($"Received webhook payload: {payload}"); // Simulate some processing time await Task.Delay(1000); } } ``` ### Explanation 1. The `WebhookController` class handles incoming webhook requests. 2. The `HandleWebhook` method is the entry point for the webhook endpoint. 3. It verifies the HMAC signature of the incoming request using the `VerifySignature` method. 4. If the signature is invalid, it returns a 401 Unauthorized response. 5. If the signature is valid, it processes the webhook payload using the `ProcessPayload` method. 6. The `VerifySignature` method computes the expected HMAC signature using the provided secret key and compares it with the incoming signature. 7. The `ProcessPayload` method simulates some processing time and logs the received payload to the console. ### Example Usage To test the webhook endpoint, you can use a tool like Postman or cURL to send a POST request with a JSON payload and an HMAC signature header. **Request** * Method: POST * URL: `https://example.com/api/webhook` * Headers: + `Content-Type`: `application/json` + `X-Hub-Signature`: `your_hmac_signature` * Body: `{"event": "example_event"}` **Note**: Replace `your_hmac_signature` with the actual HMAC signature computed using the secret key and the request payload. ### Security Considerations * Use a secure secret key to prevent unauthorized access to your webhook endpoint. * Use a secure protocol (HTTPS) to encrypt the communication between the client and the server. * Validate the incoming request payload to prevent potential security vulnerabilities. ### HMAC Signature Generation To generate an HMAC signature, you can use the following C# code: ```csharp using System; using System.Security.Cryptography; using System.Text; public class HmacSignatureGenerator { public static string GenerateSignature(string secretKey, string payload) { using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secretKey)); var signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(payload))); return signature; } } ``` You can use this code to generate an HMAC signature for your webhook payload and include it in the `X-Hub-Signature` header of your request.

```csharp using Microsoft.AspNetCore.Mvc; using Microsoft.Extensions.Logging; using System; using System.Security.Cryptography; using System.Text; using System.Threading.Tasks; // Define a model for the webhook request public class WebhookRequest { public string Id { get; set; } public string Event { get; set; } public string Data { get; set; } } // Define a controller for the webhook delivery endpoint [ApiController] [Route("api/[controller]")] public class WebhookController : ControllerBase { private readonly ILogger<WebhookController> _logger; private readonly string _secretKey; public WebhookController(ILogger<WebhookController> logger, string secretKey) { _logger = logger; _secretKey = secretKey; } // Define an action for the webhook delivery endpoint [HttpPost] public async Task<IActionResult> DeliverWebhook([FromBody] WebhookRequest request) { try { // Get the HMAC signature from the request headers var signature = Request.Headers["X-Hub-Signature-256"].ToString(); // Verify the HMAC signature if (!VerifyHmacSignature(request, signature)) { _logger.LogWarning("Invalid HMAC signature"); return BadRequest("Invalid HMAC signature"); } // Process the webhook request await ProcessWebhookRequest(request); return Ok(); } catch (Exception ex) { _logger.LogError(ex, "Error processing webhook request"); return StatusCode(500, "Internal Server Error"); } } // Define a method to verify the HMAC signature private bool VerifyHmacSignature(WebhookRequest request, string signature) { // Create a new HMACSHA256 object using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(_secretKey)); // Compute the expected HMAC signature var expectedSignature = BitConverter.ToString(hmac.ComputeHash(Encoding.UTF8.GetBytes(JsonSerializer.Serialize(request)))).Replace("-", "").ToLower(); // Compare the expected HMAC signature with the provided signature return expectedSignature == signature.Split("=")[1].ToLower(); } // Define a method to process the webhook request private async Task ProcessWebhookRequest(WebhookRequest request) { // Process the webhook request (e.g., save to database, send notification, etc.) _logger.LogInformation($"Received webhook request: {JsonSerializer.Serialize(request)}"); } } // Register the webhook controller in the DI container public void ConfigureServices(IServiceCollection services) { services.AddControllers(); services.AddSingleton<string>(Configuration["SecretKey"]); services.AddLogging(logging => { logging.AddConsole(); }); } // Configure the routing middleware public void Configure(IApplicationBuilder app, IWebHostEnvironment env) { app.UseRouting(); app.UseEndpoints(endpoints => { endpoints.MapControllers(); }); } ``` This implementation provides a webhook delivery endpoint with HMAC signature verification. The `WebhookController` class defines an action for the webhook delivery endpoint, which verifies the HMAC signature and processes the webhook request. The `VerifyHmacSignature` method computes the expected HMAC signature and compares it with the provided signature. The `ProcessWebhookRequest` method processes the webhook request (e.g., saves it to a database, sends a notification, etc.). The `ConfigureServices` method registers the webhook controller in the DI container and adds logging. The `Configure` method configures the routing middleware to map the controllers. To use this implementation, you need to replace the `SecretKey` configuration value with your actual secret key. You can also customize the `ProcessWebhookRequest` method to suit your specific requirements. **Example Use Case:** To test the webhook delivery endpoint, you can use a tool like Postman to send a POST request to the endpoint with a JSON body containing the webhook request data. You need to include the HMAC signature in the `X-Hub-Signature-256` header. For example, if the secret key is `my_secret_key`, and the webhook request data is `{"id": "123", "event": "created", "data": {"name": "John Doe"}}`, you can compute the HMAC signature using a tool like OpenSSL: ```bash echo -n '{"id": "123", "event": "created", "data": {"name": "John Doe"}}' | openssl dgst -sha256 -hmac my_secret_key -binary | openssl enc -base64 ``` This will output the HMAC signature, which you can include in the `X-Hub-Signature-256` header of the POST request. **Security Considerations:** * Use a secure secret key to prevent unauthorized access to your webhook endpoint. * Use a secure protocol (e.g., HTTPS) to encrypt the communication between the client and the server. * Validate the HMAC signature to prevent tampering with the webhook request data. * Implement rate limiting and IP blocking to prevent abuse of