Validate Hosted Checkout Webhook Signature

Question

question

robcb1 asked Jul 14, '23 parquet76 answered Jul 14, '23

Validate Hosted Checkout Webhook Signature

Hi!

Please guide me to the proper way to validate the Clover Signature from the webhook.

I am referencing docs found here:https://docs.clover.com/docs/ecomm-hosted-checkout-webhook#clover-signature-header

For step 2, what 'second string' does the documentation refer to?

I'm using node.js, and this is what I am doing so far:

  
const crypto = require("crypto");
const payload = JSON.parse(event.body);

  const cloverHeader = event.multiValueHeaders["Clover-Signature"][0];
  console.log("cloverHeader: ", cloverHeader);

  const cloverTimestamp = cloverHeader.split(",")[0];
  const v1 = cloverHeader.split(",")[1];
  const cloverTimestampValue = cloverTimestamp.split("=")[1];
  const v1Value = v1.split("=")[1];
  const appendedValue = `${cloverTimestampValue}.${payload}`;

  const hmac = crypto.createHmac("sha256", CLOVER_WEBHOOK_KEY);
 
  const dta = hmac.update(appendedValue);
  const hashed2 = dta.digest("base64");
  console.log("hashed2: ", hashed2);
  console.log("cloverTimestampValue: ", cloverTimestampValue);
  console.log("v1Value: ", v1Value);

My problem is that my hashed value is not the same as the value from the Clover Signature (v1). I must be combining the wrong values.

Your guidance is greatly appreciated.

Thanks.

Webhooks

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Welcome to the
Clover Developer Community

Answer 1 · 2023-07-14T22:30:47Z

parquet76 answered Jul 14, '23

Why are you base64 encoding the hash? There is nothing in the Clover docs that I can see that indicates that you should be.

10 |2000

Attachments: Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

question