Instagram how to verify X-Hub-Signature in php

Question

What's the right way to verify X-Hub-Signature in php?

I tried with

$xHubSignature = $request->getHeader('X-Hub-Signature');
$postdata = file_get_contents("php://input");
$body = $request->getRawBody( );
$check = sha1('mysecret'.$postdata);

but it doesn't work.

Answer 1

hash_hmac( 'sha1', $postdata,'mysecret') 

thanks to Payom Dousti

https://groups.google.com/forum/?fromgroups=#!topic/instagram-api-developers/7nKyipJENdI

Answer 2

To verify X-Hub-Signature header sent by Instagram or Facebook webhook callback in PHP version 5.6 or higher, you could use:

if ( hash_equals('sha1=' . hash_hmac('sha1', $postdata, 'mysecret'), 
                 $_SERVER['HTTP_X_HUB_SIGNATURE'] )

This is better than using == or === since hash_equals method would prevent timing attacks.