Aurinko.Webhook.Verifier (Aurinko v0.2.1)

HMAC-SHA256 signature verification for Aurinko webhook payloads.

Aurinko signs outgoing webhook payloads with your client secret so you can verify they're genuine. Always verify signatures in production.

Usage

In a Phoenix controller or Plug endpoint:

defmodule MyAppWeb.WebhookController do
  use MyAppWeb, :controller

  def receive(conn, _params) do
    signature = get_req_header(conn, "x-aurinko-signature") |> List.first()
    {:ok, raw_body} = get_raw_body(conn)

    case Aurinko.Webhook.Verifier.verify(raw_body, signature) do
      :ok ->
        payload = Jason.decode!(raw_body)
        MyApp.Webhooks.process(payload)
        send_resp(conn, 200, "ok")

      {:error, :invalid_signature} ->
        send_resp(conn, 401, "invalid signature")
    end
  end
end

Configuration

config :aurinko,
  webhook_secret: System.get_env("AURINKO_WEBHOOK_SECRET")

Or pass the secret explicitly:

Aurinko.Webhook.Verifier.verify(body, signature, secret: "my_secret")

Summary

Functions

sign(body, secret)

Compute the expected HMAC-SHA256 signature for a payload.

verify(body, signature, opts \\ [])

Verify an Aurinko webhook signature.

Functions

sign(body, secret)

@spec sign(binary(), String.t()) :: String.t()

Compute the expected HMAC-SHA256 signature for a payload.

Useful for testing your webhook endpoint.

verify(body, signature, opts \\ [])

@spec verify(binary(), String.t() | nil, keyword()) ::
  :ok | {:error, :invalid_signature}

Verify an Aurinko webhook signature.

Returns :ok on success, {:error, :invalid_signature} on failure.

Timing-safe comparison is used to prevent timing attacks.