webhook validation

SiftScience · Dec 29, 2021 · 186d0cc · 186d0cc
1 parent 1a830b1
commit 186d0cc
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 0 deletions.
diff --git a/src/main/java/com/siftscience/utils/WebhookValidator.java b/src/main/java/com/siftscience/utils/WebhookValidator.java
@@ -0,0 +1,16 @@
+package com.siftscience.utils;
+
+import org.apache.commons.codec.digest.HmacAlgorithms;
+import org.apache.commons.codec.digest.HmacUtils;
+
+public class WebhookValidator {
+    private static final String  SHA1 = "sha1=";
+
+    public static boolean isValidWebhook(String siftScienceSignature, String requestBody, String secretKey) {
+        String verificationSignature = SHA1 + new HmacUtils(HmacAlgorithms.HMAC_SHA_1, secretKey).hmacHex(requestBody);
+        if(siftScienceSignature.equals(verificationSignature))
+            return true;
+        else
+            return false;
+    }
+}
diff --git a/src/test/java/com/siftscience/WebhookValidatorTest.java b/src/test/java/com/siftscience/WebhookValidatorTest.java
@@ -0,0 +1,48 @@
+package com.siftscience;
+
+import com.siftscience.utils.WebhookValidator;
+import org.apache.commons.codec.digest.HmacAlgorithms;
+import org.apache.commons.codec.digest.HmacUtils;
+import org.junit.Assert;
+import org.junit.Test;
+
+public class WebhookValidatorTest {
+
+    @Test
+    public void testWebhookValidation() {
+
+        final String secretKey = "1d708fe409f22591";
+        final String requestBody = "{\n" +
+                "  \"entity\": {\n" +
+                "    \"type\": \"user\",\n" +
+                "    \"id\": \"USER123\"\n" +
+                "  },\n" +
+                "  \"decision\": {\n" +
+                "    \"id\": \"block_user_payment_abuse\"\n" +
+                "  },\n" +
+                "  \"time\": 1461963439151\n" +
+                "}";
+       final String signature = "sha1=" + new HmacUtils(HmacAlgorithms.HMAC_SHA_1, secretKey).hmacHex(requestBody);
+
+        Assert.assertTrue(WebhookValidator.isValidWebhook(signature, requestBody, secretKey));
+    }
+
+    @Test
+    public void testWebhookValidationForInvalidSecretKey() {
+
+        final String secretKey = "1d708fe409f22591";
+        final String requestBody = "{\n" +
+                "  \"entity\": {\n" +
+                "    \"type\": \"user\",\n" +
+                "    \"id\": \"USER123\"\n" +
+                "  },\n" +
+                "  \"decision\": {\n" +
+                "    \"id\": \"block_user_payment_abuse\"\n" +
+                "  },\n" +
+                "  \"time\": 1461963439151\n" +
+                "}";
+        final String signature = "sha1=" + new HmacUtils(HmacAlgorithms.HMAC_SHA_1, secretKey).hmacHex(requestBody);
+
+        Assert.assertFalse(WebhookValidator.isValidWebhook(signature, requestBody, "invalid key"));
+    }
+}