compwright/x-hub-signature

X-Hub-Signature webhook signing utility for PHP

Fund package maintenance!
compwright

v1.0.0 2024-04-10 01:11 UTC

This package is auto-updated.

Last update: 2024-12-10 02:31:35 UTC


README

Sponsor on GitHub

X-Hub-Signature is a compact way to validate webhooks from Facebook, GitHub, or any other source that uses this signature scheme.

Care has been taken to avoid security issues, including timing attacks.

Getting Started

To install:

composer require compwright/x-hub-signature

Usage

Sign a buffer containing a request body:

<?php

use Compwright\XHubSignature;
use InvalidArgumentException;

$signer = new XHubSignature\Sha256();

// Generate the signature header for an outbound webhook, i.e.
//
//   X-Hub-Signature-256: sha256=...
//
$headerName = $signer->getHeaderName();
$headerValue = $signer->sign($requestBody, $secret);
$signatureHeader = $headerName . ': ' . $headerValue;

// Verify an inbound webhook
$isValid = $signer->verify($signatureHeaderValue, $requestBody, $secret);
if ($isValid === false) {
    throw new InvalidArgumentException('Bad Request');
}

License

MIT License