以下函数用于接收Lemon Squeezy webhook请求:
public ActionResult lsHook(LemonsqueezyWebhook lemonsqueezyWebhook)
{
...
}
它按照有效载荷数据的预期工作.Lemon Squeezy使用X-Signature来帮助确认请求实际上来自Lemon Squeezy,而不是钓鱼网站.下面是他们的代码示例:
$secret = '[SIGNING_SECRET]'; // from your webhook settings
$payload = file_get_contents('php://input');
$hash = hash_hmac('sha256', $payload, $secret);
$signature = $_SERVER['HTTP_X_SIGNATURE'] ?? '';
if (!hash_equals($hash, $signature)) {
throw new Exception('Invalid signature.');
}
以下是我在ActionResult lsHook(LemonsqueezyWebhook lemonsqueezyWebhook)
中执行相同操作的C#代码:
StringBuilder sb = new StringBuilder("X-Signature")
if (Request.Headers.AllKeys.Contains("X-Signature"))
{
foreach (string sValue in Request.Headers.GetValues("X-Signature"))
{
sb.Append(Environment.NewLine).Append(sValue);
}
Request.InputStream.Seek(0, SeekOrigin.Begin);
string sPayload = new StreamReader(Request.InputStream).ReadToEnd();
using (var sha256 = SHA256.Create())
{
byte[] payloadBytes = Encoding.UTF8.GetBytes(sPayload);
byte[] secretBytes = Encoding.UTF8.GetBytes("mysecret");
// Combine payload and secret
byte[] data = payloadBytes.Concat(secretBytes).ToArray();
// Hash the combined data
byte[] hash = sha256.ComputeHash(data);
sb.Append(Environment.NewLine + "hash: ").Append(BitConverter.ToString(hash).Replace("-", "").ToLower());
}
}
以下是我从某人的一个请求中得到的:
dab5a3c5f205f60aa09ab00098f67917e8fcc6b05e64d510b656d82f35bca97c
hash: 3ee77ac08f050e1338ca3a4a8c0162eb8ff9aa1fb7d89418881492a52da1cc37
它们不相配.sPayload
看起来是正确的.它是json对象.有没有人能就可能的原因给出一个提示?
Update:个
将var sha256 = SHA256.Create()
替换为var sha256 = HMACSHA256.Create()
后,我得到了以下结果:
10de6aa343a95017309a7e7d3b683fb35afa4be9f67c41c2d87ae1f9872e0914
hash: 9dceac34439623bff6549b2dd264672e0cc20910