Trusthook offers a streamlined solution for verifying webhook signatures from various providers like Stripe, GitHub, and Shopify. With a single call, manage differences in signature formats and enjoy replay protection, all while relying on Go's standard library without external dependencies. Simplify secure API interactions effortlessly.
Trusthook provides a streamlined solution for verifying webhook signatures across a variety of providers, including Stripe, GitHub, Shopify, and more. This project focuses on ensuring secure and reliable handling of webhook events by addressing the unique signing methods utilized by different services. With Trusthook, verification processes are simplified, requiring only a single API call for signature validation, while also incorporating replay protection and requiring no external dependencies.
Key Features:
- Universal API: Verify inbound webhook signatures from multiple providers seamlessly. Trusthook supports diverse signing methods, accommodating variations such as hex vs. base64 and HMAC vs. Ed25519.
- Zero Dependencies: Built solely with Go's standard library, ensuring minimal overhead and hassle-free integration.
- Replay Protection: Enhanced security measures to prevent replay attacks, ensuring your endpoint remains shielded from potential vulnerabilities.
- Performance-Optimized: Quick signature verification that operates efficiently within microseconds, making it suitable for high-throughput applications.
Usage Example:
To verify a signature, simply specify the provider, pass the raw request body, headers, and your webhook secret. The function returns nil if the signature is valid or an error otherwise.
package main
import (
"io"
"net/http"
"github.com/eben-vranken/trusthook"
)
func handleWebhook(w http.ResponseWriter, r *http.Request) {
body, err := io.ReadAll(r.Body)
if err != nil {
http.Error(w, "cannot read body", http.StatusBadRequest)
return
}
err = trusthook.Verify(trusthook.GitHub, body, r.Header, "your-webhook-secret")
if err != nil {
http.Error(w, "invalid signature", http.StatusUnauthorized)
return
}
// Signature is valid. Handle the event.
}
Supported Providers:
| Provider | Scheme |
|---|---|
| Stripe | HMAC-SHA256 (timestamped) |
| GitHub | HMAC-SHA256 (hex) |
| Shopify | HMAC-SHA256 (base64) |
| Slack | HMAC-SHA256 (timestamped) |
| Discord | Ed25519 |
| ... | ... |
Error Handling:
Trusthook provides specific errors for various failure scenarios, allowing for straightforward error management and implementation of custom responses to invalid signature events.
For further details, consult the official documentation on pkg.go.dev.
Trusthook stands as a powerful tool for developers looking to enhance webhook security and reliability without the complexity often associated with signature verification.
No comments yet.
Sign in to be the first to comment.