Round #303

Implement a webhook delivery endpoint with HMAC signature verification

Implementing a Webhook Delivery Endpoint with HMAC Signature Verification ==================================================================== ### Overview This solution provides a basic implementation of a webhook delivery endpoint with HMAC signature verification using C#. The endpoint will verify the HMAC signature of incoming requests to ensure their authenticity. ### Prerequisites * .NET 6.0 or later * `System.Security.Cryptography` namespace for HMAC signature verification * `Microsoft.AspNetCore` namespace for creating the webhook endpoint ### Implementation #### Webhook Endpoint ```csharp using Microsoft.AspNetCore.Mvc; using System.Security.Cryptography; using System.Text; using System.Threading.Tasks; [ApiController] [Route("api/[controller]")] public class WebhookController : ControllerBase { private readonly string _secretKey; public WebhookController(string secretKey) { _secretKey = secretKey; } [HttpPost] public async Task<IActionResult> HandleWebhook([FromBody] string payload) { // Get the HMAC signature from the request header var signature = Request.Headers["X-Hub-Signature-256"].FirstOrDefault(); // Verify the HMAC signature if (!VerifyHmacSignature(payload, signature)) { return Unauthorized("Invalid HMAC signature"); } // Process the webhook payload await ProcessWebhookPayload(payload); return Ok("Webhook received successfully"); } private bool VerifyHmacSignature(string payload, string signature) { if (string.IsNullOrEmpty(signature)) { return false; } var expectedSignature = GenerateHmacSignature(payload); return expectedSignature == signature; } private string GenerateHmacSignature(string payload) { using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(_secretKey)); var hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(payload)); return $"sha256={Convert.ToBase64String(hash)}"; } private async Task ProcessWebhookPayload(string payload) { // Implement your logic to process the webhook payload // For example, you can deserialize the payload and perform actions based on its content await Task.CompletedTask; } } ``` #### Startup Configuration ```csharp using Microsoft.AspNetCore.Builder; using Microsoft.AspNetCore.Hosting; using Microsoft.Extensions.Configuration; using Microsoft.Extensions.DependencyInjection; public class Startup { public Startup(IConfiguration configuration) { Configuration = configuration; } public IConfiguration Configuration { get; } public void ConfigureServices(IServiceCollection services) { services.AddControllers(); services.AddSingleton<WebhookController>(provider => { var secretKey = Configuration["WebhookSecretKey"]; return new WebhookController(secretKey); }); } public void Configure(IApplicationBuilder app, IWebHostEnvironment env) { app.UseRouting(); app.UseEndpoints(endpoints => { endpoints.MapControllers(); }); } } ``` #### appsettings.json ```json { "WebhookSecretKey": "your_secret_key_here" } ``` ### Example Usage To test the webhook endpoint, you can use a tool like Postman or cURL to send a POST request with the HMAC signature in the `X-Hub-Signature-256` header. ```bash curl -X POST \ https://your-webhook-endpoint.com/api/webhook \ -H 'Content-Type: application/json' \ -H 'X-Hub-Signature-256: sha256=your_hmac_signature_here' \ -d '{"key":"value"}' ``` Replace `your_secret_key_here` with your actual secret key, and `your_hmac_signature_here` with the HMAC signature generated using the same secret key and the request payload. ### Security Considerations * Use a secure secret key and keep it confidential to prevent unauthorized access to your webhook endpoint. * Use a secure protocol (HTTPS) to encrypt the communication between the client and the server. * Implement rate limiting and IP blocking to prevent abuse and denial-of-service attacks. * Monitor your webhook endpoint for suspicious activity and implement logging and auditing mechanisms to detect and respond to security incidents.

```csharp using Microsoft.AspNetCore.Mvc; using Microsoft.Extensions.Logging; using System; using System.Security.Cryptography; using System.Text; using System.Threading.Tasks; // Define a model for the webhook request public class WebhookRequest { public string Id { get; set; } public string Event { get; set; } public string Data { get; set; } } // Define a service for handling webhook requests public interface IWebhookService { Task HandleWebhookRequest(WebhookRequest request); } // Implement the webhook service public class WebhookService : IWebhookService { private readonly ILogger<WebhookService> _logger; public WebhookService(ILogger<WebhookService> logger) { _logger = logger; } public async Task HandleWebhookRequest(WebhookRequest request) { try { // Process the webhook request _logger.LogInformation($"Received webhook request: {request.Id} - {request.Event}"); // Add your business logic here } catch (Exception ex) { _logger.LogError(ex, "Error handling webhook request"); } } } // Define a middleware for HMAC signature verification public class HmacSignatureVerificationMiddleware { private readonly RequestDelegate _next; private readonly string _secretKey; public HmacSignatureVerificationMiddleware(RequestDelegate next, string secretKey) { _next = next; _secretKey = secretKey; } public async Task InvokeAsync(HttpContext context) { var request = context.Request; var headers = request.Headers; // Check if the request contains the expected headers if (!headers.ContainsKey("X-Hub-Signature-256") || !headers.ContainsKey("X-Hub-Signature")) { context.Response.StatusCode = 401; await context.Response.WriteAsync("Invalid request: missing signature headers"); return; } var signature = headers["X-Hub-Signature-256"]; var signatureSha1 = headers["X-Hub-Signature"]; // Verify the HMAC signature var body = await new StreamReader(request.Body).ReadToEndAsync(); request.Body.Position = 0; // Reset the request body position var expectedSignature = ComputeHmacSignature(body, _secretKey, "sha256"); var expectedSignatureSha1 = ComputeHmacSignature(body, _secretKey, "sha1"); if (!VerifyHmacSignature(expectedSignature, signature) || !VerifyHmacSignature(expectedSignatureSha1, signatureSha1)) { context.Response.StatusCode = 401; await context.Response.WriteAsync("Invalid request: invalid signature"); return; } // Call the next middleware in the pipeline await _next(context); } private string ComputeHmacSignature(string body, string secretKey, string algorithm) { using var hmac = algorithm switch { "sha256" => new HMACSHA256(Encoding.UTF8.GetBytes(secretKey)), "sha1" => new HMACSHA1(Encoding.UTF8.GetBytes(secretKey)), _ => throw new ArgumentException("Unsupported algorithm", nameof(algorithm)) }; var signature = hmac.ComputeHash(Encoding.UTF8.GetBytes(body)); return $"sha256={Convert.ToBase64String(signature)}"; } private bool VerifyHmacSignature(string expectedSignature, string providedSignature) { var expectedSignatureValue = expectedSignature.Split('=')[1]; var providedSignatureValue = providedSignature.Split('=')[1]; return Convert.FromBase64String(expectedSignatureValue).SequenceEqual(Convert.FromBase64String(providedSignatureValue)); } } // Define a controller for the webhook delivery endpoint [ApiController] [Route("api/[controller]")] public class WebhookController : ControllerBase { private readonly IWebhookService _webhookService; public WebhookController(IWebhookService webhookService) { _webhookService = webhookService; } [HttpPost] public async Task<IActionResult> HandleWebhookRequest([FromBody] WebhookRequest request) { await _webhookService.HandleWebhookRequest(request); return Ok(); } } // Register the services and middleware in the Startup class public void ConfigureServices(IServiceCollection services) { services.AddControllers(); services.AddScoped<IWebhookService, WebhookService>(); } public void Configure(IApplicationBuilder app, IWebHostEnvironment env) { app.UseRouting(); app.UseEndpoints(endpoints => { endpoints.MapControllers(); }); // Add the HMAC signature verification middleware app.UseMiddleware<HmacSignatureVerificationMiddleware>("your_secret_key_here"); } ``` This implementation provides a webhook delivery endpoint with HMAC signature verification. The `HmacSignatureVerificationMiddleware` class verifies the HMAC signature of incoming requests, and the `WebhookService` class handles the webhook requests. The `WebhookController` class defines the endpoint for receiving webhook requests. To use this implementation, you need to register the services and middleware in the `Startup` class. You should replace `"your_secret_key_here"` with your actual secret key. The HMAC signature verification middleware checks for the presence of the `X-Hub-Signature-256` and `X-Hub-Signature` headers in the request. It then computes the expected HMAC signature using the request body and the secret key, and verifies it against the provided signature. If the signature is invalid, it returns a 401 response. The `WebhookService` class handles the webhook requests by logging the request and performing any necessary business logic. You can modify this class to suit your specific requirements. The `WebhookController` class defines the endpoint for receiving webhook requests. It uses the `WebhookService` class to handle the requests. Note that this implementation uses the `HMACSHA256` and `HMACSHA1` algorithms for computing the HMAC signature. You can modify the `ComputeHmacSignature` method to use a different algorithm if needed.