rafiki icon indicating copy to clipboard operation
rafiki copied to clipboard

Published 20 hours ago verified publisher icon interledger

docs: add info for webhook signature validation

Open melissahenderson opened this issue 4 months ago • 1 comments

This was requested by Radu. He and Max may be good resources if there are questions.

If an ASE wants to use a signature, the SIGNATURE_SECRET environment variable is optional, so the ASE can opt in or opt out. We should point this out in the Admin API(s) and somewhere in the Webhook Events page, rather than making signatures its own page.

For the webhooks, Radu suggested something like this as well as code snippets.

  1. Go to https://docs.stripe.com/webhooks?lang=node&verify=verify-manually#verify-official-libraries
  2. Click the Verify Manually tab

The steps in the Stripe doc are:

  1. Extract the timestamp and signatures from the header (in our case the timestamp is in the Rafiki-Signature header)
  2. Prepare the signed_payload string (in our case, the payload string is the request body [the data Rafiki sends to the ASE])
  3. Determine the expected signature
  4. Compare the signatures

melissahenderson avatar Oct 08 '24 11:10 melissahenderson