I can't find any information on what algorithm to use to decode WooCommerce webhook field X-Wc-Webhook-Signature in PHP. Does anyone know how to decode it?
Thanks!
To expand on the laravel solution this is how I created middleware to validate the incoming webhook.
Create middleware. The application that I am using keeps the WooCommerce consumer key and secret in a table assigned to a given store.
class ValidateWebhook
{
/**
* Validate that the incoming request has been signed by the correct consumer key for the supplied store id
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle(Request $request, Closure $next)
{
$signature = $request->header('X-WC-Webhook-Signature');
if (empty($signature)) {
return response(['Invalid key'], 401);
}
$store_id = $request['store'];
$consumer_key = ConsumerKeys::fetchConsumerSecretByStoreId($store_id);
$payload = $request->getContent();
$calculated_hmac = base64_encode(hash_hmac('sha256', $payload, $consumer_key, true));
if ($signature != $calculated_hmac) {
return response(['Invalid key'], 401);
}
return $next($request);
}
}
Register the middleware in Kernel.php
'webhook' => \App\Http\Middleware\ValidateWebhook::class,
Protect the webhook route with the middleware
Route::post('webhook', 'PrintController@webhook')->middleware('webhook');
Expanding on the current answers, this is the PHP code snippet you need:
$sig = base64_encode(hash_hmac('sha256', $request_body, $secret, true));
Where $secret is your secret, $request_body is the request body, which can be fetched with file_get_contents('php://input');
The $sig value should then be equal to the X-Wc-Webhook-Signature request header.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With