Module: SignWell::Webhook

Defined in:

lib/signwell_sdk/webhook.rb

Class Method Summary

• .secure_compare(a, b) ⇒ Object

  Constant-time string comparison to prevent timing attacks.

• .verify_event(event:, webhook_id:) ⇒ Boolean

  Verifies the authenticity of a SignWell webhook event using HMAC-SHA256.

Class Method Details

.secure_compare(a, b) ⇒ Object

Constant-time string comparison to prevent timing attacks.

# File 'lib/signwell_sdk/webhook.rb', line 20

def self.secure_compare(a, b)
  return false unless a.bytesize == b.bytesize

  OpenSSL.fixed_length_secure_compare(a, b)
end

.verify_event(event:, webhook_id:) ⇒ Boolean

Verifies the authenticity of a SignWell webhook event using HMAC-SHA256.

Parameters:

• event (Hash) —

  Parsed webhook payload with 'type', 'time', and 'hash' keys

• webhook_id (String) —

  Your webhook's secret ID used as the HMAC key

Returns:

• (Boolean) —

  true if the event signature is valid

# File 'lib/signwell_sdk/webhook.rb', line 12

def self.verify_event(event:, webhook_id:)
  data = "#{event['type']}@#{event['time']}"
  expected = event['hash']
  calculated = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('SHA256'), webhook_id, data)
  secure_compare(calculated, expected)
end