line-bot-sdk-java icon indicating copy to clipboard operation
line-bot-sdk-java copied to clipboard

Published 20 hours ago verified publisher icon line

Add option to skip signature verification

Open habara-k opened this issue 6 months ago • 0 comments

Changes

  • Allow skipping signature verification for webhooks

Motivation

The signature returned with webhooks is calculated using a single channel secret. If the bot owner changes their channel secret, the signature for webhooks starts being calculated using the new channel secret. To avoid signature verification failures, the bot owner must update the channel secret on their server, which is used for signature verification. However, if there is a timing mismatch in the update—and such a mismatch is almost unavoidable—verification will fail during that period.

In such cases, having an option to skip signature verification for webhooks would be a convenient way to avoid these issues.

habara-k avatar May 23 '25 09:05 habara-k