Securing Your Callback
In order to secure your data, make sure the callbacks are coming from StraitsX in order to avoid attackers sending malformed data. The easiest way to verify the callbacks is to validate the signature that is sent along with the request.
Retrieve the signing secret from your dashboard
Once you have saved your application's callback end-point, we will provide you with a "Signing Secret". This "Signing Secret" can be used for all our endpoints.
Calculate and compare HMAC Signature
Calculate the signature by using signing secret and request body with HMAC-SHA256 algorithm. For example:
# NOTE: It's recommended for you to put the secret in a secret file or environment variable.
# We are showing it directly in the code for illustration purposes only.
SIGNING_SECRET = "ss_5572cf13d099"
post '/callback' do
request.body.rewind
payload_body = request.body.read
verify_signature!(request.headers["Xfers-Signature"], payload_body)
puts "Got a valid request"
end
def verify_signature!(signature, payload_body)
generated_signature = OpenSSL::HMAC.hexdigest(
"SHA256",
SIGNING_SECRET,
payload_body,
)
raise "Invalid signature!" unless Rack::Utils.secure_compare(signature, generated_signature)
end
const express = require('express');
const crypto = require('crypto');
const bodyParser = require('body-parser');
const app = express();
const SIGNING_SECRET = "ss_5572cf13d099";
app.use(bodyParser.text());
app.post('/callback', (req, res) => {
const payloadBody = req.body;
const signature = req.headers["xfers-signature"];
verifySignature(signature, payloadBody);
console.log("Got a valid request");
res.status(200).send("OK");
});
function verifySignature(signature, payloadBody) {
const generatedSignature = crypto.createHmac('sha256', SIGNING_SECRET)
.update(payloadBody)
.digest('hex');
if (signature !== generatedSignature) {
throw new Error("Invalid signature!");
}
}
const PORT = 3000; // You can choose your desired port
app.listen(PORT, () => {
console.log(`Server is running on port ${PORT}`);
});
Updated 4 months ago