Verify Webhook Signature

Overview

Signature verification is a crucial step in ensuring the authenticity and integrity of data received from webhooks. By verifying the signature provided in the webhook payload, you can confirm that the data originated from Dex3 servers and has not been tampered with during transit.

Process

Receive signature from the webhook endpoint.
Construct Hash String: Concatenate the necessary parameters into a single string before applying the hash function. The parameters typically include:

Items	Description
order_id	Your internally created order_id
order_amount	The order_amount you passed for this payment
hash	The hash of the transaction.
merchant_private	Your private key.

Apply Hash Function: Use a secure hashing algorithm such as SHA-256 to calculate the hash value of the before-hash string. (See code example below)
Compare Signatures: Compare the calculated hash value with the signature extracted from the webhook payload. If the two values match, the signature is considered valid, and the data integrity is confirmed. Do not continue if signatures do not match.

import { createHash}  from 'crypto'; //Install crypto package

//Your config
const merchantPublic = process.env.PUBLIC_KEY;
const merchantPrivate = process.env.PRIVATE_KEY;

const payload = req.body;

//Get your payment row from your database
const payment = await getPaymentData(payload.payment_id);

//Construct signature using payload, payment data and your merchant_private
//Make sure the order_amount is number to prevent remove any unwanted zeroes
const string = payment.order_id + Number(payment.order_amount) + payload.hash + merchantPrivate;
const calculatedSignature = createHash('sha256').update(string).digest('hex'); //hex digest

// Compare signatures
if (payload.signature === calculatedSignature) {
  // Signature verification successful
  // Proceed to credit user
} else {
  // Signature verification failed
  // Reject webhook data or take appropriate action
}