Init

src/webhook/verify-signature.ts

@@ -0,0 +1,30 @@
+import crypto from "node:crypto";
+
+export function verifySignature(input: {
+  secret: string;
+  body: string;
+  signatureHeader?: string | null;
+}): boolean {
+  const { secret, body, signatureHeader } = input;
+  if (!signatureHeader) {
+    return false;
+  }
+
+  const expected = crypto
+    .createHmac("sha256", secret)
+    .update(body, "utf8")
+    .digest("hex");
+
+  const provided = signatureHeader.startsWith("sha256=")
+    ? signatureHeader.slice("sha256=".length)
+    : signatureHeader;
+
+  const expectedBuf = Buffer.from(expected);
+  const providedBuf = Buffer.from(provided);
+
+  if (expectedBuf.length !== providedBuf.length) {
+    return false;
+  }
+
+  return crypto.timingSafeEqual(expectedBuf, providedBuf);
+}