Signature verification is mandatory to ensure the webhook being sent is not tampered during the transit.
Overview
Signature verification is a crucial step in ensuring the authenticity and integrity of data received from webhooks. By verifying the signature provided in the webhook payload, you can confirm that the data originated from Dex3 servers and has not been tampered with during transit.
Process
- Receive signature from the webhook endpoint.
- Construct Hash String: Concatenate the necessary parameters into a single string before applying the hash function. The parameters typically include:
Items | Description |
---|---|
order_id | Your internally created order_id |
order_amount | The order_amount you passed for this payment |
hash | The hash of the transaction. |
merchant_private | Your private key. |
- Apply Hash Function: Use a secure hashing algorithm such as SHA-256 to calculate the hash value of the before-hash string. (See code example below)
- Compare Signatures: Compare the calculated hash value with the signature extracted from the webhook payload. If the two values match, the signature is considered valid, and the data integrity is confirmed. Do not continue if signatures do not match.
import { createHash} from 'crypto'; //Install crypto package
//Your config
const merchantPublic = process.env.PUBLIC_KEY;
const merchantPrivate = process.env.PRIVATE_KEY;
const payload = req.body;
//Get your payment row from your database
const payment = await getPaymentData(payload.payment_id);
//Construct signature using payload, payment data and your merchant_private
//Make sure the order_amount is number to prevent remove any unwanted zeroes
const string = payment.order_id + Number(payment.order_amount) + payload.hash + merchantPrivate;
const calculatedSignature = createHash('sha256').update(string).digest('hex'); //hex digest
// Compare signatures
if (payload.signature === calculatedSignature) {
// Signature verification successful
// Proceed to credit user
} else {
// Signature verification failed
// Reject webhook data or take appropriate action
}