I am trying to work with the hub.secret. I send my secret but am unsure how to validate the hash as it comes back.
I successfully grab the X-Hub-Signature but from there not a clue how to compare it to my secret code.
I haven’t touched PHP in a while, but it should look roughly like this:
// If the request is a POST request then we're getting a real webhook callback.
if($_SERVER['REQUEST_METHOD'] === 'POST') {
// Default to not verified state.
$isVerified = FALSE;
// Get the signature from the headers
$sig = $_SERVER['HTTP_X_HUB_SIGNATURE'];
// Only test if there's possibly a signature
if(!empty($sig)) {
// Read the raw POST data
$data = file_get_contents("php://input");
// Calculate a hash and prepend the algorithm to match the signature
$hash = 'sha256=' . hash_hmac('sha256', $data, $mySecret);
// Compare the calculated and signature hash strings
$isVerified = $hash === $sig;
}
// ... Go on forth!
}
Thank you for this. I’ll give it a try and report back.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.