Verifying webhook authenticity using Spring Boot

image avatar

Jehudowuf

Publicado 30 de out. de 2022

I am migrating some code to Java Spring Boot and using Zendesk WebHooks. The Webhooks request have two headers.

X-Zendesk-Webhook-Signature - the main signature
X-Zendesk-Webhook-Signature-Timestamp - the timestamp used to verify the signature

Also there is a secret key. Until now I was able to test webhook and It successfully reached my @RestController but now I want to validate it that its coming from Zendesk. Ref - https://developer.zendesk.com/documentation/event-connectors/webhooks/verifying/

0

2

2 comentários

      image avatar

      Michal Zawalski

      Jehudowuf I'm verifying the request via this method and it works in Spring Boot :) arguments for the function come from webhook request: headers you mention and the full request body. Hope it helps :) Compared signatures in the final if statement should be the same.

      import javax.crypto.Mac;
      import javax.crypto.spec.SecretKeySpec;
      import java.nio.charset.StandardCharsets;
      import org.apache.tomcat.util.codec.binary.Base64;

      ......

      private final String zendeskSecretKey = "XXXXXXXXXXX_SECRET_FROM_WEBHOOK_CONFIG";

      public void validateZendeskWebhookRequest(String zendeskSignatureTimeStamp, String zendeskSignature, String requestBody) throws Exception {
              Mac sha256 = Mac.getInstance("HmacSHA256");
              SecretKeySpec secretKey = new SecretKeySpec(zendeskSecretKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
              sha256.init(secretKey);
              String signature =
                      Base64.encodeBase64String(
                              sha256.doFinal((zendeskSignatureTimeStamp + requestBody).getBytes(StandardCharsets.UTF_8)));

              LOGGER.debug("Request Validation Result: {} vs {}", signature, zendeskSignature);

              if (!zendeskSignature.equals(signature)) {
                  throw new ZendeskRequestNotValidException();
              }
      }

      0

      image avatar

      Eric Nelson

      Hey there,
       
      Do you mind clarifying what your question is? Unfortunately we don't have a tutorial on how to handle webhook verification in java. 
       
      Sorry for the inconvenience 

      0

      Entrar para deixar um comentário.

      Não encontrou o que estava procurando?

      Nova publicação