Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

docs: add info for webhook signature validation #3022

Open
melissahenderson opened this issue Oct 8, 2024 · 0 comments
Open

docs: add info for webhook signature validation #3022

melissahenderson opened this issue Oct 8, 2024 · 0 comments
Assignees
Labels
user-doc-priority: medium User doc priority is medium user-docs

Comments

@melissahenderson
Copy link
Contributor

This was requested by Radu. He and Max may be good resources if there are questions.

If an ASE wants to use a signature, the SIGNATURE_SECRET environment variable is optional, so the ASE can opt in or opt out. We should point this out in the Admin API(s) and somewhere in the Webhook Events page, rather than making signatures its own page.

For the webhooks, Radu suggested something like this as well as code snippets.

  1. Go to https://docs.stripe.com/webhooks?lang=node&verify=verify-manually#verify-official-libraries
  2. Click the Verify Manually tab

The steps in the Stripe doc are:

  1. Extract the timestamp and signatures from the header (in our case the timestamp is in the Rafiki-Signature header)
  2. Prepare the signed_payload string (in our case, the payload string is the request body [the data Rafiki sends to the ASE])
  3. Determine the expected signature
  4. Compare the signatures
@brad-dow brad-dow self-assigned this Oct 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
user-doc-priority: medium User doc priority is medium user-docs
Projects
Status: In Progress
Status: Backlog
Development

No branches or pull requests

2 participants