Skip to main content

Vérifier la signature webhook

Toujours vérifier la signature pour s’assurer que le webhook provient de SahelPay.

Format de la signature

X-SahelPay-Signature: t=1734540000,v1=abc123def456...
  • t = timestamp UNIX (secondes)
  • v1 = signature HMAC-SHA256

Algorithme

signature = HMAC_SHA256(webhook_secret, "${timestamp}.${raw_body}")

Implémentation

import crypto from 'crypto';

function verifySignature(rawBody, signatureHeader, secret) {
  const parts = {};
  signatureHeader.split(',').forEach(p => {
    const [key, value] = p.split('=');
    parts[key] = value;
  });

  const timestamp = parts['t'];
  const signature = parts['v1'];

  // Protection replay (5 min)
  const now = Math.floor(Date.now() / 1000);
  if (Math.abs(now - parseInt(timestamp)) > 300) {
    return false;
  }

  // Vérifier signature
  const payload = `${timestamp}.${rawBody}`;
  const expected = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');

  return crypto.timingSafeEqual(
    Buffer.from(signature),
    Buffer.from(expected)
  );
}

Protection replay

Le timestamp permet de rejeter les webhooks trop anciens (> 5 minutes), protégeant contre les attaques de replay.