Webhook examples

import express from 'express';
import crypto from 'crypto';

const app = express();

// Use raw body for signature verification
app.post('/webhooks/pocketsflow', express.raw({ type: 'application/json' }), (req, res) => {
  const signature = req.header('x-pocketsflow-signature');
  const secret = process.env.POCKETSFLOW_WEBHOOK_SECRET;
  const rawBody = req.body; // Buffer

  if (!verifySignature(rawBody, signature, secret)) {
    return res.status(400).send('Invalid signature');
  }

  const event = JSON.parse(rawBody.toString('utf8'));

  if (alreadyProcessed(event.id)) {
    return res.status(200).send('Already processed');
  }

  handleEvent(event);

  res.status(200).send('OK');
});

function verifySignature(rawBody, signature, secret) {
  // Replace with the algorithm documented by Pocketsflow
  const expected = crypto
    .createHmac('sha256', secret)
    .update(rawBody)
    .digest('hex');

  return crypto.timingSafeEqual(Buffer.from(signature), Buffer.from(expected));
}

import hmac
import hashlib
import json
from django.http import HttpResponse, HttpResponseBadRequest
from django.views.decorators.csrf import csrf_exempt

WEBHOOK_SECRET = os.environ.get("POCKETSFLOW_WEBHOOK_SECRET")

@csrf_exempt
def pocketsflow_webhook(request):
    raw_body = request.body
    signature = request.headers.get("X-Pocketsflow-Signature")

    if not verify_signature(raw_body, signature, WEBHOOK_SECRET):
        return HttpResponseBadRequest("Invalid signature")

    event = json.loads(raw_body.decode("utf-8"))

    if already_processed(event["id"]):
        return HttpResponse("Already processed")

    handle_event(event)

    return HttpResponse("OK")

def verify_signature(raw_body, signature, secret):
    expected = hmac.new(secret.encode(), raw_body, hashlib.sha256).hexdigest()
    return hmac.compare_digest(signature, expected)