Round #479

Implement a webhook delivery endpoint with HMAC signature verification

To implement a webhook delivery endpoint with HMAC signature verification in C#, you can follow these steps: 1. **Create an ASP.NET Core Web API project**: If you don't already have one, create a new ASP.NET Core Web API project. 2. **Add necessary NuGet packages**: Ensure you have the necessary packages installed. You might need `Microsoft.AspNetCore.Mvc` and `System.Security.Cryptography`. 3. **Implement the webhook endpoint**: Create a controller to handle incoming webhook requests. 4. **Verify HMAC signature**: Implement logic to verify the HMAC signature of the incoming request. Here's a complete example: ### Step 1: Create an ASP.NET Core Web API Project You can create a new project using Visual Studio or the .NET CLI: ```bash dotnet new webapi -n WebhookReceiver cd WebhookReceiver ``` ### Step 2: Add Necessary NuGet Packages Ensure you have the necessary packages installed. You might need `Microsoft.AspNetCore.Mvc` and `System.Security.Cryptography`. ```bash dotnet add package Microsoft.AspNetCore.Mvc dotnet add package System.Security.Cryptography ``` ### Step 3: Implement the Webhook Endpoint Create a new controller to handle incoming webhook requests. ```csharp using Microsoft.AspNetCore.Mvc; using System; using System.Linq; using System.Text; using System.Threading.Tasks; [ApiController] [Route("api/[controller]")] public class WebhookController : ControllerBase { private readonly string _secretKey = "your-secret-key"; // Replace with your actual secret key [HttpPost] public async Task<IActionResult> ReceiveWebhook() { if (!Request.Headers.TryGetValue("X-Hmac-Signature", out var hmacSignature)) { return BadRequest("Missing X-Hmac-Signature header"); } if (!Request.Body.CanSeek) { Request.EnableBuffering(); } using (var reader = new System.IO.StreamReader(Request.Body, Encoding.UTF8, true, 1024, true)) { var requestBody = await reader.ReadToEndAsync(); // Verify the HMAC signature if (!VerifyHmacSignature(requestBody, hmacSignature)) { return Unauthorized("Invalid HMAC signature"); } // Process the webhook payload // For example, log it or perform some action Console.WriteLine($"Received webhook: {requestBody}"); return Ok("Webhook received and verified successfully"); } } private bool VerifyHmacSignature(string requestBody, string hmacSignature) { using (var hmac = System.Security.Cryptography.HMACSHA256.Create()) { hmac.Key = Encoding.UTF8.GetBytes(_secretKey); var computedHash = hmac.ComputeHash(Encoding.UTF8.GetBytes(requestBody)); var computedBase64 = Convert.ToBase64String(computedHash); return computedBase64.Equals(hmacSignature, StringComparison.OrdinalIgnoreCase); } } } ``` ### Step 4: Configure CORS (if needed) If you need to allow cross-origin requests, configure CORS in your `Startup.cs` or `Program.cs`. ```csharp public void ConfigureServices(IServiceCollection services) { services.AddControllers(); services.AddCors(options => { options.AddPolicy("AllowAllOrigins", builder => builder.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod()); }); } public void Configure(IApplicationBuilder app, IWebHostEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); } app.UseRouting(); app.UseCors("AllowAllOrigins"); app.UseEndpoints(endpoints => { endpoints.MapControllers(); }); } ``` ### Summary This example demonstrates how to create a webhook delivery endpoint with HMAC signature verification in an ASP.NET Core Web API. The `ReceiveWebhook` method reads the request body and verifies the HMAC signature using the provided secret key. If the signature is valid, it processes the webhook payload; otherwise, it returns an unauthorized response. Make sure to replace `"your-secret-key"` with your actual secret key and configure CORS if necessary for your application's requirements.

To implement a webhook delivery endpoint with HMAC signature verification, we'll create an ASP.NET Core controller action. This action will handle incoming webhooks, verify the HMAC signature using the provided key, and process the payload if the signature is valid. Here's the complete implementation: ```csharp using Microsoft.AspNetCore.Mvc; using Microsoft.Extensions.Logging; using System.Security.Cryptography; using System.Text; using System.Threading.Tasks; [ApiController] [Route("api/[controller]")] public class WebhookController : ControllerBase { private readonly ILogger<WebhookController> _logger; private readonly string _hmacKey; public WebhookController(ILogger<WebhookController> logger, IOptions<HmacSettings> hmacSettings) { _logger = logger; _hmacKey = hmacSettings.Value.Key; } [HttpPost] public async Task<IActionResult> ReceiveWebhook([FromBody] string payload) { try { if (!Request.Headers.TryGetValue("X-HMAC-Signature", out var signatureHeader)) { return Unauthorized("Missing HMAC Signature"); } var providedSignature = signatureHeader.ToString(); var computedSignature = ComputeHmacSha256(payload, _hmacKey); if (computedSignature != providedSignature) { return Unauthorized("Invalid HMAC Signature"); } // Process the valid webhook payload await ProcessWebhookPayload(payload); return Ok("Webhook processed successfully"); } catch (Exception ex) { _logger.LogError(ex, "Error processing webhook"); return StatusCode(500, "Internal Server Error"); } } private string ComputeHmacSha256(string payload, string key) { using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(key)); var hashBytes = hmac.ComputeHash(Encoding.UTF8.GetBytes(payload)); return Convert.ToBase64String(hashBytes); } private async Task ProcessWebhookPayload(string payload) { // Implement your webhook processing logic here _logger.LogInformation("Processing webhook payload: {Payload}", payload); await Task.CompletedTask; } } public class HmacSettings { public string Key { get; set; } } ``` ### Explanation: 1. **Controller and Action**: - The `WebhookController` is decorated with `[ApiController]` and `[Route("api/[controller]")]` to define the base route for webhook requests. - The `ReceiveWebhook` action handles POST requests and expects a JSON payload. 2. **Dependency Injection**: - The constructor injects an `ILogger<WebhookController>` for logging and an `IOptions<HmacSettings>` to retrieve the HMAC key from configuration. 3. **HMAC Signature Verification**: - The action checks if the `X-HMAC-Signature` header is present in the request. - It computes the HMAC SHA-256 hash of the payload using the provided key and compares it with the signature in the header. - If the signatures match, the payload is considered valid; otherwise, an unauthorized response is returned. 4. **Payload Processing**: - The `ProcessWebhookPayload` method is a placeholder for your actual webhook processing logic. It logs the payload and completes the task asynchronously. 5. **Configuration**: - The HMAC key should be stored in the application's configuration (e.g., `appsettings.json`) and bound to the `HmacSettings` class using dependency injection. ### Configuration Example (`appsettings.json`): ```json { "HmacSettings": { "Key": "your-hmac-key-here" } } ``` This implementation provides a robust webhook delivery endpoint with HMAC signature verification, ensuring that only valid payloads are processed.