Round #301

Implement a webhook delivery endpoint with HMAC signature verification

**Webhook Delivery Endpoint with HMAC Signature Verification in C#** Below is an example implementation of a webhook delivery endpoint with HMAC signature verification using C# and ASP.NET Core. ### Dependencies * `Microsoft.AspNetCore.Mvc` * `System.Security.Cryptography` * `System.Text` ### Implementation ```csharp using Microsoft.AspNetCore.Mvc; using System; using System.Security.Cryptography; using System.Text; [ApiController] [Route("api/[controller]")] public class WebhookController : ControllerBase { private readonly string _secretKey; public WebhookController(string secretKey) { _secretKey = secretKey; } [HttpPost] public IActionResult HandleWebhook([FromBody] string payload, [FromHeader] string signature) { // Verify HMAC signature if (!VerifySignature(payload, signature)) { return Unauthorized("Invalid signature"); } // Process the webhook payload Console.WriteLine($"Received webhook payload: {payload}"); return Ok("Webhook received successfully"); } private bool VerifySignature(string payload, string signature) { using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(_secretKey)); var computedSignature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(payload))); return string.Equals(signature, computedSignature, StringComparison.Ordinal); } } ``` ### Explanation 1. The `WebhookController` class handles incoming webhook requests. 2. The `HandleWebhook` method is called when a webhook request is received. 3. The method first verifies the HMAC signature of the request using the `VerifySignature` method. 4. If the signature is invalid, it returns an `Unauthorized` response. 5. If the signature is valid, it processes the webhook payload and returns an `Ok` response. 6. The `VerifySignature` method computes the HMAC signature of the payload using the secret key and compares it with the provided signature. ### Example Usage To use this implementation, you need to register the `WebhookController` in the ASP.NET Core pipeline and provide the secret key. ```csharp public void ConfigureServices(IServiceCollection services) { services.AddControllers(); services.AddSingleton<string>("your_secret_key"); } public void Configure(IApplicationBuilder app, IWebHostEnvironment env) { app.UseRouting(); app.UseEndpoints(endpoints => { endpoints.MapControllers(); }); } ``` You can then send a webhook request to the `/api/webhook` endpoint with the payload and signature in the headers. ```bash curl -X POST \ http://localhost:5000/api/webhook \ -H 'Content-Type: application/json' \ -H 'Signature: your_computed_signature' \ -d 'your_payload' ``` Replace `your_secret_key`, `your_computed_signature`, and `your_payload` with your actual secret key, computed signature, and payload. ### Computing the Signature To compute the signature, you can use the following code: ```csharp using System; using System.Security.Cryptography; using System.Text; public class SignatureGenerator { public static string ComputeSignature(string payload, string secretKey) { using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secretKey)); var signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(payload))); return signature; } } ``` You can then use this method to compute the signature before sending the webhook request. ```csharp var payload = "your_payload"; var secretKey = "your_secret_key"; var signature = SignatureGenerator.ComputeSignature(payload, secretKey); // Send the webhook request with the computed signature ```

```csharp using Microsoft.AspNetCore.Builder; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Routing; using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Logging; using System; using System.Security.Cryptography; using System.Text; using System.Threading.Tasks; public class WebhookDeliveryEndpoint { private readonly ILogger<WebhookDeliveryEndpoint> _logger; public WebhookDeliveryEndpoint(ILogger<WebhookDeliveryEndpoint> logger) { _logger = logger; } public async Task HandleWebhookAsync(HttpRequest request, HttpResponse response) { try { // Read the request body var requestBody = await new StreamReader(request.Body).ReadToEndAsync(); // Get the HMAC signature from the header var hmacSignature = request.Headers["X-Hub-Signature-256"].ToString(); // Verify the HMAC signature if (!VerifyHmacSignature(requestBody, hmacSignature)) { _logger.LogWarning("Invalid HMAC signature"); response.StatusCode = 401; await response.WriteAsync("Invalid HMAC signature"); return; } // Process the webhook delivery await ProcessWebhookDeliveryAsync(requestBody); response.StatusCode = 200; await response.WriteAsync("Webhook delivery processed successfully"); } catch (Exception ex) { _logger.LogError(ex, "Error processing webhook delivery"); response.StatusCode = 500; await response.WriteAsync("Error processing webhook delivery"); } } private bool VerifyHmacSignature(string requestBody, string hmacSignature) { // Get the secret key var secretKey = "your_secret_key_here"; // Create a new HMACSHA256 object using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secretKey)); // Compute the HMAC signature var computedHmacSignature = BitConverter.ToString(hmac.ComputeHash(Encoding.UTF8.GetBytes(requestBody))).Replace("-", "").ToLower(); // Compare the computed HMAC signature with the provided HMAC signature return computedHmacSignature == hmacSignature.Split("=")[1].ToLower(); } private async Task ProcessWebhookDeliveryAsync(string requestBody) { // Process the webhook delivery _logger.LogInformation("Webhook delivery processed: {RequestBody}", requestBody); } } public class Startup { public void ConfigureServices(IServiceCollection services) { services.AddRouting(); services.AddSingleton<WebhookDeliveryEndpoint>(); } public void Configure(IApplicationBuilder app) { app.UseRouting(); app.UseEndpoints(endpoints => { endpoints.MapPost("/webhook", async context => { var webhookDeliveryEndpoint = app.ApplicationServices.GetService<WebhookDeliveryEndpoint>(); await webhookDeliveryEndpoint.HandleWebhookAsync(context.Request, context.Response); }); }); } } ``` This implementation provides a webhook delivery endpoint with HMAC signature verification. The `WebhookDeliveryEndpoint` class handles the webhook delivery and verifies the HMAC signature using the `VerifyHmacSignature` method. The `Startup` class configures the routing and registers the `WebhookDeliveryEndpoint` instance. To use this implementation, you need to replace `"your_secret_key_here"` with your actual secret key. The HMAC signature is computed using the `HMACSHA256` algorithm and the secret key. The computed HMAC signature is then compared with the provided HMAC signature to verify its authenticity. The `ProcessWebhookDeliveryAsync` method is a placeholder for your actual webhook delivery processing logic. You can modify this method to suit your specific requirements. This implementation uses the `ILogger<T>` interface for logging and the `IServiceProvider` interface for resolving the `WebhookDeliveryEndpoint` instance. The `AddRouting` and `AddEndpoints` methods are used to configure the routing and endpoints. The `MapPost` method is used to map the `/webhook` endpoint to the `HandleWebhookAsync` method.