Marian
Marian
PostsComments
TTwenty
Created by Marian on 4/16/2025 in #❓︱help
Are webhook secrets actually used? How?
For the record, I managed to implement the signature verification in Go. 
func createSignature(timestamp string, secret string, payload []byte) string {
    stringToSign := fmt.Sprintf("%s:%s", timestamp, string(payload))
    mac := hmac.New(sha256.New, []byte(secret))
    mac.Write([]byte(stringToSign))
    return hex.EncodeToString(mac.Sum(nil))
}

func validateSignature(signature string, timestamp string, payload []byte) error {
    if signature == "" {
        return errors.New("signature is empty")
    }
    if timestamp == "" {
        return errors.New("timestamp is empty")
    }
    if payload == nil {
        return errors.New("payload is nil")
    }

    expectedSignature := createSignature(timestamp, secret, payload)
    if signature != expectedSignature {
        return errors.New("signature mismatch")
    }

    return nil
}
func createSignature(timestamp string, secret string, payload []byte) string {
    stringToSign := fmt.Sprintf("%s:%s", timestamp, string(payload))
    mac := hmac.New(sha256.New, []byte(secret))
    mac.Write([]byte(stringToSign))
    return hex.EncodeToString(mac.Sum(nil))
}

func validateSignature(signature string, timestamp string, payload []byte) error {
    if signature == "" {
        return errors.New("signature is empty")
    }
    if timestamp == "" {
        return errors.New("timestamp is empty")
    }
    if payload == nil {
        return errors.New("payload is nil")
    }

    expectedSignature := createSignature(timestamp, secret, payload)
    if signature != expectedSignature {
        return errors.New("signature mismatch")
    }

    return nil
}
19 replies
TTwenty
Created by Marian on 4/16/2025 in #❓︱help
Are webhook secrets actually used? How?
Yes, that is clear now, thank you!
19 replies
TTwenty
Created by Marian on 4/16/2025 in #❓︱help
Are webhook secrets actually used? How?
At least my current understanding is that in order to verify the signature, I have to reproduce the signature creation on the webhook server side. And that would require having the exact same timestamp.
19 replies
TTwenty
Created by Marian on 4/16/2025 in #❓︱help
Are webhook secrets actually used? How?
Does this mean that Twenty server, Twenty worker, and webhook server are required to have their clocks synchronized to the millisecond?
19 replies
TTwenty
Created by Marian on 4/16/2025 in #❓︱help
Are webhook secrets actually used? How?
Thanks for the reply! Before I make an effort implementing this (in Go, in my case), I wonder: what exact format and resolution is timestamp supposed to have? Is it the current time on the webhook server?
19 replies