All webhooks from the Astra platform include the Astra-Verification header that can be used to verify the validity of a wehook. This header provides a Base64 encoded HMAC hash of the CLIENT_SECRET and the webhook payload using the HMAC-SHA256 hash function.
To verify the authenticity of a webhook, decode the Base64 encoded string and compare this to the HMAC hash computed on your backend server.
#Python example of HMAC verification of the Astra-Verification header:
import base64
import hashlib
import hmac
import os
astra_verification_header = webhook_request.headers.get("Astra-Verification")
decoded_astra_verification_header = base64.b64decode(astra_verification_header)
payload = webhook_request.get_data()
client_secret = bytes(os.environ.get("ASTRA_CLIENT_SECRET"), 'UTF-8')
hmac_obj = hmac.new(client_secret, json.dumps(payload).encode(encoding='UTF-8'), digestmod=hashlib.sha256)
hmac_digest = hmac_obj.digest()
if hmac.compare_digest(decoded_astra_verification_header, hmac_digest) is True:
print("Astra Webhook Verified")
else:
raise Exception("Astra Webhook not verified!")
The result of the
json.dumps(payload)payload (that is passed into thehmac.new()method) includes whitespace after each comma and colon as seen in the example below:{"webhook_type": "routine_updated", "resource_id": "4816908952010752", "user_id": "93k08a40d032o54f748773f", "webhook_id": "a5df3ed9-00000-0000-96cb-150e3fe3e31d"}