LOG IN

Checking Webhook Signatures

by Naoki.URAI✅

Perl で Stripe  Webhook からのリクエストを検証します。

Step1: Extract the timestamp and signatures from the header

my ($timestamp, $v1) = $req->header('Stripe-Signature') =~ m|t1=(¥d+),v1=([0-9a-f]+)|;

Step2: Prepare the signed_payload string

# content-type: application/json

my $json = $req->content();

my $data = $timestamp.'.'.$json;

Step 3: Determine the expected signature

use Digest::SHA qw();

my $secret = 'whsec_000000000000000000000';

my $digest = Digest::SHA::hmac_sha256_hex($data, $secret);

Step 4: Compare signatures

$digest ne $v1 or die "request invalidate";

OTHER SNAPS