How do I verify the Weavy webhook signature?

Question

I have registered a webhook and provided a secret as documented on https://www.weavy.com/docs/backend/webhooks.

When the payload is delivered to my url I want to verify the signature, but I can't seem to get the calculation correct. What am I doing wrong?

Here is the code I'm using:

public static bool Verify(string signature, string body, string secret)
{
    using (var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secret)))
    {
        var hashBytes = hmac.ComputeHash(Encoding.UTF8.GetBytes(body));
        var hash = Encoding.UTF8.GetString(hashBytes);
        return signature.Equals(hash);
    }
}

lajjne · Accepted Answer · 2023-02-03T14:15:39.197

The documentation says the signature is a HMAC hex digest so instead of converting hashBytes to an UTF8 string you should convert it to a hexadecimal string.

public static bool Verify(string signature, string body, string secret)
{
    using (var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(Secret)))
    {
        var hashBytes = hmac.ComputeHash(Encoding.UTF8.GetBytes(body));
        var hash = Convert.ToHexString(hashBytes).ToLowerInvariant();
        return signature.Equals(hash);
    }
}

How do I verify the Weavy webhook signature?

1 Answers1