Cloud operating system for your business

Omnibasis uses the SHA256 hash algorithm to create a API signature. 

When webhook call made, Omnibasis creates a signature by hashing the HTTP request's body. Your application with a subscription to a webhook should hash received body and check whether it is equal with received key called abp-webhook-signature

Using Omnibasis API to validate signature

You can use API call https://api.omnibasis.com/webhooks/Webhooks/WebHookTest?secret={YOUR_SECRET_KEY} to test API signature. It will execute the call described below.

1. In the header of the call, you need to provide abp-webhook-signature.
2. In the URL, you need to replace {YOUR_SECRET_KEY} with a key from subscription details.
3. Request body should contain data information.

Using Postman

You can use Postman to test the above call with a body.

Example of Webhook Verification in C#

In the example below, you need to replace YOURWEBHOOKSECRET with a secret key obtained from Webhook subscription API.

[HttpPost]
public async Task WebHookTest()
{
    using (StreamReader reader = new StreamReader(HttpContext.Request.Body, Encoding.UTF8))
    {
        var body = await reader.ReadToEndAsync();

        if (!IsSignatureCompatible("YOURWEBHOOKSECRET", body))//read webhooksecret from user secret
        {
            throw new Exception("Unexpected Signature");
        }
        //It is certain that Webhook has not been modified.
    }
}

private bool IsSignatureCompatible(string secret, string body)
{
    if (!HttpContext.Request.Headers.ContainsKey("abp-webhook-signature"))
    {
        return false;
    }

    var receivedSignature = HttpContext.Request.Headers["abp-webhook-signature"].ToString().Split("=");//will be something like "sha256=whs_XXXXXXXXXXXXXX"
    //It starts with hash method name (currently "sha256") then continue with signature. You can also check if your hash method is true.

    string computedSignature;
    switch (receivedSignature[0])
    {
        case "sha256":
            var secretBytes = Encoding.UTF8.GetBytes(secret);
            using (var hasher = new HMACSHA256(secretBytes))
            {
                var data = Encoding.UTF8.GetBytes(body);
                computedSignature = BitConverter.ToString(hasher.ComputeHash(data));
            }
            break;
        default:
            throw new NotImplementedException();
    }
    return computedSignature == receivedSignature[1];
}