Signature verification - add mechanism

[LumpiStefan]

Now i have the next issue, but I expect that this may be more an feature request...
I´m trying to use the signature to verify the correct usage of the webhook.
The webhook-sender is sending two headers:
-Signature
-Timestamp
Signature is the HMAC SHA-256 of the request body. Timestamp contains a timestamp associated with this request.
Now the problem is, that the timestamp is included in the HMAC calculation.
Complete documentation of the process is here: https://help.usersnap.com/docs/webhook

Any idea how I solve this? Any prebuild function for this?

Stefan

[moorereason]

Webhook doesn't allow you to append to the HMAC data prior to validation. The best approach today would be to handle this validation in an external script.

[LumpiStefan]

Thanks for the reply.
I already expected that answer. ;-)
Is there any way to use the internal hmac function in any way to do the "base-work"?
I tried "pass-environment-to-command": [ { "envname": "HMAC", "type": "payload-hmac-sha256", "secret": "secret" },
but that does not deliever any data to the environment variable.
Or, on the other hand, how can I pass the entire payload to my script? As I have a multipart form, it might be more complex...

Stefan

[adnanh]

Ugh, at the moment it's not possible to pass the raw payload to the command (only parsed json), however, maybe it could be possible by using the work done on the feature/context-provider-command branch

[LumpiStefan]

Ok. So, any suggestions from your side, how I can handle the Authentication Approach from usersnap?
Is it possible to pass the standard "HMAC Result" to the script and calculate the "end value" within the script? I think that would be the easiest approach....

[ltimms24]

I have the exact same requirement from another platform (https://developer.officernd.com/docs/webhooks-getting-started).
Has there been any further progress on this?