Woleet can sign it's callbacks with a HMAC-SHA1 function.
To enable this feature, you must go on Woleet ProofDesk (Account settings -> API) and generate a secret that will be used to sign the callback body.
The signature will be passed to your service in the x-woleet-signature header.
Here is some sample code you can use to verify this signature:
const crypto = require('crypto')
const secret = ... // your signing secret
const body = ... // get the callback's body
const signature = ... // get the callback's signature
// Generate the signature
const hash = crypto.createHmac('sha1', secret).update(body).digest('base64')
// Checks that signatures match
if (hash !== signature) {
// Signautre is NOT valid...
}
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
String secret = ... // your signing secret
SecretKeySpec keySpec = new SecretKeySpec(secret.getBytes(), "HmacSHA1");
String body = // get the callback's body
String signature = // get the callback's signature
// Generate the signature
Mac mac = Mac.getInstance("HmacSHA1");
mac.init(keySpec);
byte[] hash = mac.doFinal(body.getBytes());
// Checks that signatures match
if (!Base64.encode(hash).equals(signature)) {
// Signature is NOT valid...
}