Receiving Notifications
Code Sample
- Ruby
- NodeJS
require 'sinatra'
require 'json'
post '/callback' do
request.body.rewind
raw_body = request.body.read
signature = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), ENV['NOTIFICATION_SECRET_KEY'], raw_body)
if Rack::Utils.secure_compare(signature, request.env['X-Go-Signature'])
notif = JSON.parse(raw_body)
"I got some JSON: #{notif.inspect}"
else
halt 400, "Signatures didn't match!"
end
end
const express = require('express');
const bodyParser = require('body-parser');
const crypto = require('crypto');
const SECRET_KEY = "fd5cdbf52d6dbd880277b8160a0880cbe35cc8f8d62798dddf63a7abbf15c5ba"
const app = express();
app.use(bodyParser.json({
verify: function (req, res, buf, encoding) {
// raw body for signature check
req.rawBody = buf.toString();
}
}));
app.post('/webhook', (req, res) => {
let signature = req.get('X-Go-Signature');
let rawBody = req.rawBody;
let hash = crypto.createHmac('sha256', SECRET_KEY).update(
rawBody).digest('hex');
// Debuh hash and signature
console.log(hash)
console.log(signature)
if (hash !== signature) {
console.log("Unauthorized request");
return res.status(401).send('Wrong request signature');
}
// Do logic with the order data
res.status(200).send("OK");
});
app.listen(3000, function () {
console.log(`Service is ready on port 3000`);
});
GoBiz uses Signature Key mechanism to help you ensure that the notifications you receive are sent by GoBiz. Every request received from GoBiz should have the HTTP header X-Go-Signature, which is computed using HMAC (sha256, notification_secret_key, request_body). If the Signature Key in the request header does not match the Signature Key computed by you, ignore the notification.
The logic of the Signature Key and the sample code to generate the Signature Key are given on the side, in the code section.