Verifying webhook authenticity using Spring Boot | Community
Skip to main content

Verifying webhook authenticity using Spring Boot

  • October 30, 2022
  • 2 replies
  • 0 views
J

I am migrating some code to Java Spring Boot and using Zendesk WebHooks. The Webhooks request have two headers.

X-Zendesk-Webhook-Signature - the main signature
X-Zendesk-Webhook-Signature-Timestamp - the timestamp used to verify the signature

Also there is a secret key. Until now I was able to test webhook and It successfully reached my @RestController but now I want to validate it that its coming from Zendesk. Ref - https://developer.zendesk.com/documentation/event-connectors/webhooks/verifying/

    2 replies

    Eric27
    • Eric27
    • November 1, 2022
    Hey there,
     
    Do you mind clarifying what your question is? Unfortunately we don't have a tutorial on how to handle webhook verification in java. 
     
    Sorry for the inconvenience 
    Michal11
    • Michal11
    • November 8, 2022

    @jehudowuf I'm verifying the request via this method and it works in Spring Boot :) arguments for the function come from webhook request: headers you mention and the full request body. Hope it helps :) Compared signatures in the final if statement should be the same.

    import javax.crypto.Mac;
    import javax.crypto.spec.SecretKeySpec;
    import java.nio.charset.StandardCharsets;
    import org.apache.tomcat.util.codec.binary.Base64;

    ......

    private final String zendeskSecretKey = "XXXXXXXXXXX_SECRET_FROM_WEBHOOK_CONFIG";

    public void validateZendeskWebhookRequest(String zendeskSignatureTimeStamp, String zendeskSignature, String requestBody) throws Exception {
            Mac sha256 = Mac.getInstance("HmacSHA256");
            SecretKeySpec secretKey = new SecretKeySpec(zendeskSecretKey.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
            sha256.init(secretKey);
            String signature =
                    Base64.encodeBase64String(
                            sha256.doFinal((zendeskSignatureTimeStamp + requestBody).getBytes(StandardCharsets.UTF_8)));

            LOGGER.debug("Request Validation Result: {} vs {}", signature, zendeskSignature);

            if (!zendeskSignature.equals(signature)) {
                throw new ZendeskRequestNotValidException();
            }
    }
    Terms & ConditionsCookie settingsAccessibility statement