How to verify webhook signature in Golang? | Appwrite | Page 1

final lagoon Oct 11, 2024, 8:17 PM

#

I am using webhook and I would like to verify the webhook signature when the call to my server is made via Appwrite webhook.

Basically, I have to get the following header: signatureHeader := c.GetHeader("X-Appwrite-Webhook-Signature")

But, is there any existing function that would verify the Header or will I have to write it from scratch?

Btw, I am using the Go-Gin framework.

gaunt prawn Oct 11, 2024, 9:46 PM

#

final lagoon I am using webhook and I would like to verify the webhook signature when the cal...

Have you read the docs on this?

As mentioned, you need to generate a HMAC-SHA1 hash. You should be able to search for some go library to do that.

final lagoon Oct 12, 2024, 5:41 AM

#

Exactly, so is there any library for that? Or will I have to write a custom algorithm for that? Also, for authentication, does verifying the webhook signature will work or can I skip that and use username and password?

tight mango Oct 12, 2024, 5:51 AM

#

final lagoon Exactly, so is there any library for that? Or will I have to write a custom algo...

i see there's a lib - https://pkg.go.dev/crypto/hmac

for username and password, i think thats for basic auth and is different from webhook signature.

final lagoon Oct 12, 2024, 7:52 AM

#

Hmm... Alright

final lagoon Oct 12, 2024, 10:00 AM

#

https://dev.to/appwrite/level-up-your-webhook-security-with-appwrite-015-50mo

I followed the above the tutorial wrote the following code:

var appwriteResponse map[string]any

    // TODO: Verify the webhook secret
    payloadBody, err := c.GetRawData()
    if err != nil {
        c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to read request body"})
        return
    }

    signature, err := generateSignature(string(payloadBody))
    if err != nil {
        c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to verify webhook signature"})
        return
    }

    headerSignature := c.GetHeader("X-Appwrite-Webhook-Signature")

    if signature != headerSignature {
        c.JSON(http.StatusUnauthorized, gin.H{"error": "Failed Authentication Check"})
        return
    }

func generateSignature(payloadBody string) (string, error) {
    data := "https://www.my-hosted-backend.com/appwrite/user/location" + payloadBody

    hm := hmac.New(sha1.New, []byte(os.Getenv("APPWRITE_WEBHOOK_SECRET")))
    hm.Write([]byte(data))

    return base64.StdEncoding.EncodeToString(hm.Sum(nil)), nil
}

Is something wrong with the logic?

DEV Community

Level up Your Webhook Security With Appwrite 0.15

Don’t Know What Appwrite Is? Appwrite is an Open-Source BaaS, which sounds complex but is...

#How to verify webhook signature in Golang?