Closed 846763951 closed 1 year ago
846763951
commented
1 year ago @RequestMapping("/notify") public R notify(@RequestBody EventResponse eventResponse, @RequestHeader(value = "Cko-Signature", required = false) String ckoSignature) { log.info("CheckoutNotify:{}", eventResponse); //Signature verification }
a-ibarra
commented
1 year ago Hi @846763951 Why do you want to do this inside the SDK? Can't you just grab the response object and hash? This is some custom behaviour, what we can do and is one of the top things on my list right now, is to make all the request, responses not final, so that everyone could implement his own behaviour as needed
846763951
commented
1 year ago Ok, got it! Another question is, what happens when we configure two different webhook addresses? Will both addresses receive callbacks or only one?
armando-rodriguez-cko
commented
1 year ago Hi @846763951,
You can read in the documentation: "...Using signatures is simple. All you need to do is take the webhook's body and apply the SHA-256 hash function to it, using your key as the hash key. You then compare the resulting HMAC to the one contained in the Cko-Signature header. If the HMACs are identical, then the data corresponds to what we sent. If they are different, this indicates that the data has been intercepted and altered in some way..."
https://www.checkout.com/docs/workflows/set-up-your-webhook-receiver#Webhook_signatures .
I hope it has helped you.
846763951
commented
1 year ago Hi!@armando-ibarra-cko I am using the document method, but the generated HMAC is not equal to the header!
When receiving webhook notification, we use EventResponse to receive it, but there is a problem that we want to hash it to generate HMAC. At this time, should we hash it with EventResponse.getData() and the provided key to generate HMAC or directly use EventResponse Hashing it with the supplied key to generate the HMAC?