const crypto = require("crypto");
function verifyWebhookSignature(payload, signature, secret) {
const expectedSignature = crypto
.createHmac("sha256", secret)
.update(JSON.stringify(payload))
.digest("hex");
return crypto.timingSafeEqual(
Buffer.from(signature),
Buffer.from(expectedSignature)
);
}
// In your webhook handler:
app.post("/webhook", (req, res) => {
const signature = req.headers["X-Signature"];
const payload = req.body;
if (!verifyWebhookSignature(payload, signature, "your-webhook-secret")) {
return res.status(401).send("Invalid signature");
}
// Process the webhook
console.log("Received valid webhook:", payload.event);
res.status(200).send("OK");
});